General
-
Target
3.doc
-
Size
65KB
-
Sample
230825-m3cbkaah85
-
MD5
a1816ace062bdbcb202e580810d5aceb
-
SHA1
d58ffa926fe4a58bf7ac76d994f9a576cf62fd1d
-
SHA256
1ee34dc849cd10bab8d08dec7076ab644851c55a1765de44e8187a53c137569b
-
SHA512
630f871ce4505f0d881a43ab540a1b92ec9d1be6a47f68c30f6fc110e4dae9d40672d4560c7b10cd8168d923f5292b4d285d99bd7377a57d681cf06ed6331625
-
SSDEEP
1536:TwAlReA72q/FbwzaXXJY7JrZC2KPJAOQnnYA+1xt7tuTQj0VEba2Uy0wddJaps:TwAln//FbwzaXXJQJrZC2KPjQnn9kxtj
Static task
static1
Behavioral task
behavioral1
Sample
3.rtf
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
3.rtf
Resource
win10v2004-20230703-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
server320.web-hosting.com - Port:
587 - Username:
[email protected] - Password:
B5TEK}%;g6L7 - Email To:
[email protected]
Targets
-
-
Target
3.doc
-
Size
65KB
-
MD5
a1816ace062bdbcb202e580810d5aceb
-
SHA1
d58ffa926fe4a58bf7ac76d994f9a576cf62fd1d
-
SHA256
1ee34dc849cd10bab8d08dec7076ab644851c55a1765de44e8187a53c137569b
-
SHA512
630f871ce4505f0d881a43ab540a1b92ec9d1be6a47f68c30f6fc110e4dae9d40672d4560c7b10cd8168d923f5292b4d285d99bd7377a57d681cf06ed6331625
-
SSDEEP
1536:TwAlReA72q/FbwzaXXJY7JrZC2KPJAOQnnYA+1xt7tuTQj0VEba2Uy0wddJaps:TwAln//FbwzaXXJQJrZC2KPjQnn9kxtj
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-