General
-
Target
PO-21322.xlsm
-
Size
417KB
-
Sample
210322-lvw4w6fd92
-
MD5
e391234ad8969ee93813458c325194c4
-
SHA1
cf4cbacbb5533ec90ec8215d01284d18b35dd139
-
SHA256
2657a10c7ccd83fe042c172a67c31c3a40dfff1c97cc7549533b2af8de2eb88e
-
SHA512
85fb0a3c785da2a5b7a407e052d02a9d17653fc3a8baa9f5b1693e266fb6e5acd2c548042218e53a8ceffd8a48081216fac5868ce05dc76e1defd8223c1fe091
Static task
static1
Behavioral task
behavioral1
Sample
PO-21322.xlsm
Resource
win7v20201028
Behavioral task
behavioral2
Sample
PO-21322.xlsm
Resource
win10v20201028
Malware Config
Extracted
http://transfer.sh/get/NTxd/notepad.exe
Extracted
agenttesla
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
zahimrahim18@gmail.com - Password:
pifgweijlylkellk
Extracted
asyncrat
0.5.7B
chongmei33.publicvm.com:2703
chongmei33.publicvm.com:49703
chongmei33.publicvm.com:49746
185.165.153.116:2703
185.165.153.116:49703
185.165.153.116:49746
54.37.36.116:2703
54.37.36.116:49703
54.37.36.116:49746
185.244.30.92:2703
185.244.30.92:49703
185.244.30.92:49746
dongreg202020.duckdns.org:2703
dongreg202020.duckdns.org:49703
dongreg202020.duckdns.org:49746
178.33.222.241:2703
178.33.222.241:49703
178.33.222.241:49746
rahim321.duckdns.org:2703
rahim321.duckdns.org:49703
rahim321.duckdns.org:49746
79.134.225.92:2703
79.134.225.92:49703
79.134.225.92:49746
37.120.208.36:2703
37.120.208.36:49703
37.120.208.36:49746
178.33.222.243:2703
178.33.222.243:49703
178.33.222.243:49746
87.98.245.48:2703
87.98.245.48:49703
87.98.245.48:49746
AsyncMutex_6SI8OkPnk
-
aes_key
hGScKRB0VrlS4WpFo0N7AmnZQApV4qsi
-
anti_detection
false
-
autorun
false
-
bdos
false
-
delay
FEB
-
host
chongmei33.publicvm.com,185.165.153.116,54.37.36.116,185.244.30.92,dongreg202020.duckdns.org,178.33.222.241,rahim321.duckdns.org,79.134.225.92,37.120.208.36,178.33.222.243,87.98.245.48
-
hwid
3
- install_file
-
install_folder
%AppData%
-
mutex
AsyncMutex_6SI8OkPnk
-
pastebin_config
null
-
port
2703,49703,49746
-
version
0.5.7B
Targets
-
-
Target
PO-21322.xlsm
-
Size
417KB
-
MD5
e391234ad8969ee93813458c325194c4
-
SHA1
cf4cbacbb5533ec90ec8215d01284d18b35dd139
-
SHA256
2657a10c7ccd83fe042c172a67c31c3a40dfff1c97cc7549533b2af8de2eb88e
-
SHA512
85fb0a3c785da2a5b7a407e052d02a9d17653fc3a8baa9f5b1693e266fb6e5acd2c548042218e53a8ceffd8a48081216fac5868ce05dc76e1defd8223c1fe091
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Modifies system executable filetype association
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Turns off Windows Defender SpyNet reporting
-
AgentTesla Payload
-
Async RAT payload
-
Nirsoft
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-