General
-
Target
PO.xls
-
Size
60KB
-
Sample
210510-kh9w674nba
-
MD5
bef0d1e9c66a0ae35a1e0ca747bdad15
-
SHA1
36480210715a4c038d21b071b7f89508fef80c20
-
SHA256
b5ca98aaf7acc12175fda388247d7898d815a8091ede0f30dfe952d26b1739c0
-
SHA512
196d949a020a03d1ec83c7c6a39c12efcf1ffe7e7663b7100868393ae44d8e0283d581378d523e2d956d7bd7b2035a3727c6c94f3611b6da106786d5b20e7bfc
Static task
static1
Behavioral task
behavioral1
Sample
PO.xls
Resource
win7v20210410
Behavioral task
behavioral2
Sample
PO.xls
Resource
win10v20210410
Malware Config
Extracted
agenttesla
http://103.151.125.220/me/file707/inc/ce68fc76541f27.php
Targets
-
-
Target
PO.xls
-
Size
60KB
-
MD5
bef0d1e9c66a0ae35a1e0ca747bdad15
-
SHA1
36480210715a4c038d21b071b7f89508fef80c20
-
SHA256
b5ca98aaf7acc12175fda388247d7898d815a8091ede0f30dfe952d26b1739c0
-
SHA512
196d949a020a03d1ec83c7c6a39c12efcf1ffe7e7663b7100868393ae44d8e0283d581378d523e2d956d7bd7b2035a3727c6c94f3611b6da106786d5b20e7bfc
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
AgentTesla Payload
-
Blocklisted process makes network request
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-