General
-
Target
docgen20230925.exe
-
Size
1.1MB
-
Sample
231011-rsxlzadb5y
-
MD5
72f02b6a2b8fd2a73ae8715fcc2323ca
-
SHA1
d840ba097b8a157a86b823e4132818a122125381
-
SHA256
b0fbd35f04ce341b8e14ad03684aa7a5fbc7525d163f38bf43a0f6041edeb3c8
-
SHA512
c6b6c54e525503f89395fd76be6f54bf2c898c151a32252ac1e4d04cd39f383992726c43e615cfa149777513bc3fc18b8bd5ce4f73f86f179ee70ef9f4e2b847
-
SSDEEP
24576:CMIwO43ryC3ASF+7Azwr2skstJ6Y2Qc6ZsifO41JdlEQgeGsWML2l:Cu3Ax71rFnJl2Qct8zdltYsW3l
Malware Config
Targets
-
-
Target
docgen20230925.exe
-
Size
1.1MB
-
MD5
72f02b6a2b8fd2a73ae8715fcc2323ca
-
SHA1
d840ba097b8a157a86b823e4132818a122125381
-
SHA256
b0fbd35f04ce341b8e14ad03684aa7a5fbc7525d163f38bf43a0f6041edeb3c8
-
SHA512
c6b6c54e525503f89395fd76be6f54bf2c898c151a32252ac1e4d04cd39f383992726c43e615cfa149777513bc3fc18b8bd5ce4f73f86f179ee70ef9f4e2b847
-
SSDEEP
24576:CMIwO43ryC3ASF+7Azwr2skstJ6Y2Qc6ZsifO41JdlEQgeGsWML2l:Cu3Ax71rFnJl2Qct8zdltYsW3l
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-