General
-
Target
NEWPO-CEAUSTRALIA PTY LTD.xls
-
Size
60KB
-
Sample
210511-y9gz2hkhf6
-
MD5
30f70aa50b3b8186d1f0852bfeb46aa7
-
SHA1
8e606582f75aba27aad87c6a0628fd8d26969e22
-
SHA256
0127ed2d5c88bea1754efc672d6990dab2ea987fa76d6047cf0807b7f8bd9208
-
SHA512
27b7eb0751b3ca57a2cdf3035df8213fa970394d5c0bfb2d2ec2aa53d0f2693b98299adab9d811ea959177c4a2b290a461b43eb0e028fc5dce8d821d209f45e3
Static task
static1
Behavioral task
behavioral1
Sample
NEWPO-CEAUSTRALIA PTY LTD.xls
Resource
win7v20210408
Behavioral task
behavioral2
Sample
NEWPO-CEAUSTRALIA PTY LTD.xls
Resource
win10v20210410
Malware Config
Extracted
agenttesla
http://103.151.125.220/me/file1919/inc/8b183a1ede460a.php
Targets
-
-
Target
NEWPO-CEAUSTRALIA PTY LTD.xls
-
Size
60KB
-
MD5
30f70aa50b3b8186d1f0852bfeb46aa7
-
SHA1
8e606582f75aba27aad87c6a0628fd8d26969e22
-
SHA256
0127ed2d5c88bea1754efc672d6990dab2ea987fa76d6047cf0807b7f8bd9208
-
SHA512
27b7eb0751b3ca57a2cdf3035df8213fa970394d5c0bfb2d2ec2aa53d0f2693b98299adab9d811ea959177c4a2b290a461b43eb0e028fc5dce8d821d209f45e3
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
AgentTesla Payload
-
Blocklisted process makes network request
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-