General
-
Target
New PO.xlsx
-
Size
369KB
-
Sample
211019-r36bvsghem
-
MD5
e883ef4023d37cee1dfb1f9931d2fe37
-
SHA1
bc0810d04f38a3dd153c5d9faaec63f93f85ddd2
-
SHA256
4d0e73e1fa9440b0fdbb6b73901fd8ecc618600b2cfe4a07cfb8f6696a1199e0
-
SHA512
7e85bb566f5c86bc0b6c7b506ea75fc54e33cdecb02faad5a7c3218053c63cb8de2326e99dcc1e4a21980d385e55dcb582e13ccb004dcf61151835759e67154c
Static task
static1
Behavioral task
behavioral1
Sample
New PO.xlsx
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
New PO.xlsx
Resource
win10-en-20211014
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.everywhere-gtt.com - Port:
587 - Username:
[email protected] - Password:
chidiebere1994
Targets
-
-
Target
New PO.xlsx
-
Size
369KB
-
MD5
e883ef4023d37cee1dfb1f9931d2fe37
-
SHA1
bc0810d04f38a3dd153c5d9faaec63f93f85ddd2
-
SHA256
4d0e73e1fa9440b0fdbb6b73901fd8ecc618600b2cfe4a07cfb8f6696a1199e0
-
SHA512
7e85bb566f5c86bc0b6c7b506ea75fc54e33cdecb02faad5a7c3218053c63cb8de2326e99dcc1e4a21980d385e55dcb582e13ccb004dcf61151835759e67154c
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-