General
-
Target
Purchase Order.xlsx
-
Size
290KB
-
Sample
210927-gsgkmsfgdn
-
MD5
79dbf0cb4518f97174ee4535672a0a60
-
SHA1
5dd9de078a0945c39431df3bcb44151637331353
-
SHA256
b61d1249505ff6814c04662bba102938cda38a0062bd78e11839d24cead1f577
-
SHA512
8f4b5e00c90f960d7b6d931267ec59f28e37a54248ab0bbae5bd94a2cc6ca294cd3ab0065eb8fde2ed32963e5976772ec2ec85f0e79c2635351f935d2d5f01af
Static task
static1
Behavioral task
behavioral1
Sample
Purchase Order.xlsx
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Purchase Order.xlsx
Resource
win10-en-20210920
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
[email protected] - Password:
)fjqy!s9
Targets
-
-
Target
Purchase Order.xlsx
-
Size
290KB
-
MD5
79dbf0cb4518f97174ee4535672a0a60
-
SHA1
5dd9de078a0945c39431df3bcb44151637331353
-
SHA256
b61d1249505ff6814c04662bba102938cda38a0062bd78e11839d24cead1f577
-
SHA512
8f4b5e00c90f960d7b6d931267ec59f28e37a54248ab0bbae5bd94a2cc6ca294cd3ab0065eb8fde2ed32963e5976772ec2ec85f0e79c2635351f935d2d5f01af
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect Neshta Payload
-
Modifies system executable filetype association
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
AgentTesla Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-