General
-
Target
0AX4532QWSA.xlsx
-
Size
1.3MB
-
Sample
210113-tc28lc84ka
-
MD5
9b4eeaed62b4b0253a7a3205f771099d
-
SHA1
e7340dd8904b13bf4dbf842c56479ffdb969287c
-
SHA256
9bbe5843787cdc023cff31aaa88ce4b91e52e013d5e4b543323b7eea2f5f51d3
-
SHA512
14f539709d5a6a0312bae5a236326812b5bbf9af34b555764c937a3095bd14e689c04f5d95e94b2a118eca42173295cec92779f6688a6e4e8d6b4a49e0deff0e
Static task
static1
Behavioral task
behavioral1
Sample
0AX4532QWSA.xlsx
Resource
win7v20201028
Behavioral task
behavioral2
Sample
0AX4532QWSA.xlsx
Resource
win10v20201028
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.gammavilla.org - Port:
587 - Username:
info@gammavilla.org - Password:
county2018
Targets
-
-
Target
0AX4532QWSA.xlsx
-
Size
1.3MB
-
MD5
9b4eeaed62b4b0253a7a3205f771099d
-
SHA1
e7340dd8904b13bf4dbf842c56479ffdb969287c
-
SHA256
9bbe5843787cdc023cff31aaa88ce4b91e52e013d5e4b543323b7eea2f5f51d3
-
SHA512
14f539709d5a6a0312bae5a236326812b5bbf9af34b555764c937a3095bd14e689c04f5d95e94b2a118eca42173295cec92779f6688a6e4e8d6b4a49e0deff0e
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-