General
-
Target
Shipping-Documents.xlsm
-
Size
152KB
-
Sample
200709-a8rewrmtqa
-
MD5
ffaffe494f31800a47057a82843480c5
-
SHA1
8a0695bc3f0776a769693ff22db7cd1e3ed0c177
-
SHA256
ffba42d34595885f6f5432f438ddb49d24539c1ba0e622f0f4ebd4d730c03a4e
-
SHA512
7e3ad55095d6859192596254ab7464c4a8368cc98049e4e8d45158fd16f50bb99ab6c3e45c7761f4655255a366c02da236a5298b35f723668120652826cfd2c9
Static task
static1
Behavioral task
behavioral1
Sample
Shipping-Documents.xlsm
Resource
win7
Behavioral task
behavioral2
Sample
Shipping-Documents.xlsm
Resource
win10v200430
Malware Config
Extracted
http://shopcart.indbytes.com/cig/myori.jpg
Targets
-
-
Target
Shipping-Documents.xlsm
-
Size
152KB
-
MD5
ffaffe494f31800a47057a82843480c5
-
SHA1
8a0695bc3f0776a769693ff22db7cd1e3ed0c177
-
SHA256
ffba42d34595885f6f5432f438ddb49d24539c1ba0e622f0f4ebd4d730c03a4e
-
SHA512
7e3ad55095d6859192596254ab7464c4a8368cc98049e4e8d45158fd16f50bb99ab6c3e45c7761f4655255a366c02da236a5298b35f723668120652826cfd2c9
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blacklisted process makes network request
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext
-