General
-
Target
becauseofflowerwecantgivesuchamemorybecauseflowersareveryimporatntinffrontofloverwholikeyousheismygirl____ireallyloverhertruly.doc
-
Size
65KB
-
Sample
240515-l34v5scc7v
-
MD5
e050b72bd8f7f3c5a79af85cb1a1bd73
-
SHA1
4a43ef0eebc753a7bff961543cbcf441c9f1b4bd
-
SHA256
72dde2686b758581f880758d957458eb735cac9d0fcde2c5a50af2124d1ffc98
-
SHA512
e149d46f6ba561672e97dff8b681e807dafcc505b064144e73389d96835bcd110b13b651a9adcef1b7b59d290565d3cacfe29eb2d1d000b6589c763d74044208
-
SSDEEP
1536:Au/ZLIVlnZBLRzykHlA+lu4VKhk5v0jLJGWu+rtzy:TZ2nZFg4VKhbjLMB+rtW
Static task
static1
Behavioral task
behavioral1
Sample
becauseofflowerwecantgivesuchamemorybecauseflowersareveryimporatntinffrontofloverwholikeyousheismygi.rtf
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
becauseofflowerwecantgivesuchamemorybecauseflowersareveryimporatntinffrontofloverwholikeyousheismygi.rtf
Resource
win10v2004-20240426-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.magna.com.pk - Port:
587 - Username:
[email protected] - Password:
Ahp6wqxfZb)D - Email To:
[email protected]
Targets
-
-
Target
becauseofflowerwecantgivesuchamemorybecauseflowersareveryimporatntinffrontofloverwholikeyousheismygirl____ireallyloverhertruly.doc
-
Size
65KB
-
MD5
e050b72bd8f7f3c5a79af85cb1a1bd73
-
SHA1
4a43ef0eebc753a7bff961543cbcf441c9f1b4bd
-
SHA256
72dde2686b758581f880758d957458eb735cac9d0fcde2c5a50af2124d1ffc98
-
SHA512
e149d46f6ba561672e97dff8b681e807dafcc505b064144e73389d96835bcd110b13b651a9adcef1b7b59d290565d3cacfe29eb2d1d000b6589c763d74044208
-
SSDEEP
1536:Au/ZLIVlnZBLRzykHlA+lu4VKhk5v0jLJGWu+rtzy:TZ2nZFg4VKhbjLMB+rtW
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-