General
-
Target
docdav20230926.exe
-
Size
1.1MB
-
Sample
231011-rsqtesdb3y
-
MD5
909d39242d301cc07ffc6196bb487939
-
SHA1
1025f0ad973b6423d58022fc50059fbfd1eac425
-
SHA256
573df9fa921ac9c03d681fd60ca7488df873ff8d1d5f6f8a11807e3189af4761
-
SHA512
b6cfbba8ac398292e4d048c5c648cb85ae20bbf804829e36f92d7a1206720eff20c5f2fbf771c1d79cca9c8de9c143b7cc0f84588dde072632f364c452de8016
-
SSDEEP
12288:Ow7KEJ0aIgurDVQjqREzY3O8tA3QHNu6m15r1/jc/2eUsD:NKE8VQj+EU3Q3QtHm/5/A/XUsD
Static task
static1
Behavioral task
behavioral1
Sample
docdav20230926.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
docdav20230926.exe
Resource
win10v2004-20230915-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.product-secured.com - Port:
587 - Username:
[email protected] - Password:
575K5(MaZro2575K5(MaZro2 - Email To:
[email protected]
Extracted
snakekeylogger
Protocol: ftp- Host:
ftp://ftp.product-secured.com/ - Port:
21 - Username:
[email protected] - Password:
575K5(MaZro2575K5(MaZro2
Extracted
Protocol: smtp- Host:
mail.product-secured.com - Port:
587 - Username:
[email protected] - Password:
575K5(MaZro2575K5(MaZro2
Targets
-
-
Target
docdav20230926.exe
-
Size
1.1MB
-
MD5
909d39242d301cc07ffc6196bb487939
-
SHA1
1025f0ad973b6423d58022fc50059fbfd1eac425
-
SHA256
573df9fa921ac9c03d681fd60ca7488df873ff8d1d5f6f8a11807e3189af4761
-
SHA512
b6cfbba8ac398292e4d048c5c648cb85ae20bbf804829e36f92d7a1206720eff20c5f2fbf771c1d79cca9c8de9c143b7cc0f84588dde072632f364c452de8016
-
SSDEEP
12288:Ow7KEJ0aIgurDVQjqREzY3O8tA3QHNu6m15r1/jc/2eUsD:NKE8VQj+EU3Q3QtHm/5/A/XUsD
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Snake Keylogger payload
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-