General
-
Target
SCAN_CRED_SWIFT.xls
-
Size
60KB
-
Sample
210510-k37kz9gh3s
-
MD5
ab00a2b6e072cd6a7adac6a227e129fb
-
SHA1
33a115a303e9a12fefa325821c791f42746c45db
-
SHA256
6c3e2de1ae1bd65297af6ae24897368d24db8f74a1bb755dfa129dc203691543
-
SHA512
2422a063ffdea9329f2612871bb7a9576c5df6f38d85d3f004ee86223a4a6ed39c636062521839be38d526bf64fec3bf3ad8fd0c6bac6dd9568378ce5354778a
Static task
static1
Behavioral task
behavioral1
Sample
SCAN_CRED_SWIFT.xls
Resource
win7v20210408
Behavioral task
behavioral2
Sample
SCAN_CRED_SWIFT.xls
Resource
win10v20210410
Malware Config
Extracted
agenttesla
http://103.151.125.220/me/file3434/inc/d2ffed4655329c.php
Targets
-
-
Target
SCAN_CRED_SWIFT.xls
-
Size
60KB
-
MD5
ab00a2b6e072cd6a7adac6a227e129fb
-
SHA1
33a115a303e9a12fefa325821c791f42746c45db
-
SHA256
6c3e2de1ae1bd65297af6ae24897368d24db8f74a1bb755dfa129dc203691543
-
SHA512
2422a063ffdea9329f2612871bb7a9576c5df6f38d85d3f004ee86223a4a6ed39c636062521839be38d526bf64fec3bf3ad8fd0c6bac6dd9568378ce5354778a
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
AgentTesla Payload
-
Blocklisted process makes network request
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-