General
-
Target
a6ff73e08b4c77b4c00e2e15fdb5196ddb954016.rtf.tar.gz
-
Size
20KB
-
Sample
240328-pp2emscd6t
-
MD5
d22ade5f263eedb549a3089ce044c677
-
SHA1
c70cc1823ddccc5e309c361d5c217f21d1db3ccc
-
SHA256
4ced7a2a26d639e4df68daa87d95302e8d51be011e7e416c80403e02cd551c57
-
SHA512
cdf7744c357faf8dbfd1e53d7fa56e2a119891b9f44fe40be18dc486ee8c052636fb63dc8d1f5975c0ff9362fa7c7b8883f301d3f8859c535f3fc5c772634c92
-
SSDEEP
384:+kVVwlEclcGtr0PCsdnX/ekxnMxlZBZi+EeL5BmWlnIRoWC9RBA4tLxKaWfS:+kVK6GePHX/elxln4+EYlIRoWC9R9LW6
Static task
static1
Behavioral task
behavioral1
Sample
a6ff73e08b4c77b4c00e2e15fdb5196ddb954016.rtf
Resource
win7-20240319-en
Behavioral task
behavioral2
Sample
a6ff73e08b4c77b4c00e2e15fdb5196ddb954016.rtf
Resource
win10v2004-20240226-en
Malware Config
Extracted
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
viorel5000@yandex.ru - Password:
floxafzwjqjhrmmh
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
viorel5000@yandex.ru - Password:
floxafzwjqjhrmmh - Email To:
viorel5000@yandex.ru
Targets
-
-
Target
a6ff73e08b4c77b4c00e2e15fdb5196ddb954016.rtf
-
Size
95KB
-
MD5
85e4e63dbd2c863f61a33c9e22e596dc
-
SHA1
a6ff73e08b4c77b4c00e2e15fdb5196ddb954016
-
SHA256
60d9b4fd251539aa37f0bd3d453f36a9a487dc8827a741f4d7f1b869b768e68c
-
SHA512
27c906436dcb04189537e0f1de055238770cbc9c8cf0a8c07610fe8dc25756051604773cb6f887a5f8c67ca2faa9bb683ed22dc55dbe7dc96fa9b5ca706f4f23
-
SSDEEP
1536:mwAlRkwAlRkwAlRqWuoUqfjmM9tDFO9Mpx9XDk:mwAlawAlawAl5uo/fjH9tDFO9erzk
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-