General
-
Target
NEW ORDER AST 27-28 October.xlsx
-
Size
369KB
-
Sample
211019-radq5sgggq
-
MD5
7ab0bc5ab895f38b4ad85e904a321080
-
SHA1
9a017dc60dfa0c9129f6d5742cfda057b3e99f3a
-
SHA256
35056762755603176fdd69583d03f154c6b5a7dbac3ae758b9a1d4cd04ff4e32
-
SHA512
95343201aefdd0940c3779ff568604f2257ba2d0414525ab9ed3f0be85674c004a4bd63795c24db4eb74cfc5068143e3032efba2ccdaab2ac9ee1679098e0427
Static task
static1
Behavioral task
behavioral1
Sample
NEW ORDER AST 27-28 October.xlsx
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
NEW ORDER AST 27-28 October.xlsx
Resource
win10-en-20211014
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.xxltrucck.com - Port:
587 - Username:
[email protected] - Password:
vFguU*i0
Targets
-
-
Target
NEW ORDER AST 27-28 October.xlsx
-
Size
369KB
-
MD5
7ab0bc5ab895f38b4ad85e904a321080
-
SHA1
9a017dc60dfa0c9129f6d5742cfda057b3e99f3a
-
SHA256
35056762755603176fdd69583d03f154c6b5a7dbac3ae758b9a1d4cd04ff4e32
-
SHA512
95343201aefdd0940c3779ff568604f2257ba2d0414525ab9ed3f0be85674c004a4bd63795c24db4eb74cfc5068143e3032efba2ccdaab2ac9ee1679098e0427
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
AgentTesla Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-