General
-
Target
d037a0f1a4ce8bd5b3ef41f8f1efbf445bba229cd61502d0f47e4078f7d64fb4.doc
-
Size
16KB
-
Sample
231201-xtds5sfd26
-
MD5
c6d1103403667550402d92301a0dbe62
-
SHA1
106f1b0488f98debf7599f602278185ffebd7a11
-
SHA256
d037a0f1a4ce8bd5b3ef41f8f1efbf445bba229cd61502d0f47e4078f7d64fb4
-
SHA512
9094dcb1148347c39a240d033f5b78fc92ca072b21eb53c40954323d7e00a686b5ed145dac13ef51af5334f98bfc27913213ad250c697e31fae29abdda0fd96a
-
SSDEEP
384:ayXPNKVWWs8PL8wi4OEwH8TIbE91r2fRSJY5vim/Y1nz3:acP+55P3DOqnYJMMv//Y1nb
Static task
static1
Behavioral task
behavioral1
Sample
d037a0f1a4ce8bd5b3ef41f8f1efbf445bba229cd61502d0f47e4078f7d64fb4.docx
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
d037a0f1a4ce8bd5b3ef41f8f1efbf445bba229cd61502d0f47e4078f7d64fb4.docx
Resource
win10v2004-20231127-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.royalwealth.space - Port:
587 - Username:
[email protected] - Password:
sQxM4AdAZ5kY7As - Email To:
[email protected]
Targets
-
-
Target
d037a0f1a4ce8bd5b3ef41f8f1efbf445bba229cd61502d0f47e4078f7d64fb4.doc
-
Size
16KB
-
MD5
c6d1103403667550402d92301a0dbe62
-
SHA1
106f1b0488f98debf7599f602278185ffebd7a11
-
SHA256
d037a0f1a4ce8bd5b3ef41f8f1efbf445bba229cd61502d0f47e4078f7d64fb4
-
SHA512
9094dcb1148347c39a240d033f5b78fc92ca072b21eb53c40954323d7e00a686b5ed145dac13ef51af5334f98bfc27913213ad250c697e31fae29abdda0fd96a
-
SSDEEP
384:ayXPNKVWWs8PL8wi4OEwH8TIbE91r2fRSJY5vim/Y1nz3:acP+55P3DOqnYJMMv//Y1nb
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location
-
Executes dropped EXE
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-