General
-
Target
New Order nr. 763ES.xlsx
-
Size
343KB
-
Sample
211019-j5626sfde8
-
MD5
eaca11f07cac788acad6a132e11dc812
-
SHA1
c2b84d6bef526eea74cf6ff072faab8240a294dd
-
SHA256
3e49784f4bd41328125657df969f475ce1ee7abc3cbd4d63a4d0d7357e423d10
-
SHA512
5aee5dde91ba1c887945d4621b0eccf110ff966cf51649200632734d4945d6ee726331900d9caf0aca971bca96d7ce81e3de55f5132d6ad568e6e7d3c0b0cfd1
Static task
static1
Behavioral task
behavioral1
Sample
New Order nr. 763ES.xlsx
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
New Order nr. 763ES.xlsx
Resource
win10-en-20211014
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.everywhere-gtt.com - Port:
587 - Username:
[email protected] - Password:
chidiebere1994
Targets
-
-
Target
New Order nr. 763ES.xlsx
-
Size
343KB
-
MD5
eaca11f07cac788acad6a132e11dc812
-
SHA1
c2b84d6bef526eea74cf6ff072faab8240a294dd
-
SHA256
3e49784f4bd41328125657df969f475ce1ee7abc3cbd4d63a4d0d7357e423d10
-
SHA512
5aee5dde91ba1c887945d4621b0eccf110ff966cf51649200632734d4945d6ee726331900d9caf0aca971bca96d7ce81e3de55f5132d6ad568e6e7d3c0b0cfd1
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-