General
-
Target
Shipping Invoice & BL.xlsx
-
Size
358KB
-
Sample
211028-ltzj3afhcr
-
MD5
4db752c789a2038d78d8067db7c6f79c
-
SHA1
dce36fecfd52b3df8dd134f0dbc0e2d36a0a114d
-
SHA256
c2c8ddcbdbed110a1b07aa3180297125eb82353ddadbc540b92e7ee2f1cb4574
-
SHA512
c04bb6a0b48296843e3e9c507b942d44de1003d418201f82d49b05b8fd81738675cc4ca4441ee3d15016cc56ec0a804db114350b6322f9aef5b3b00aabcb700e
Static task
static1
Behavioral task
behavioral1
Sample
Shipping Invoice & BL.xlsx
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
Shipping Invoice & BL.xlsx
Resource
win10-en-20211014
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.enerzi.co - Port:
587 - Username:
[email protected] - Password:
Enerzis@123!#
Targets
-
-
Target
Shipping Invoice & BL.xlsx
-
Size
358KB
-
MD5
4db752c789a2038d78d8067db7c6f79c
-
SHA1
dce36fecfd52b3df8dd134f0dbc0e2d36a0a114d
-
SHA256
c2c8ddcbdbed110a1b07aa3180297125eb82353ddadbc540b92e7ee2f1cb4574
-
SHA512
c04bb6a0b48296843e3e9c507b942d44de1003d418201f82d49b05b8fd81738675cc4ca4441ee3d15016cc56ec0a804db114350b6322f9aef5b3b00aabcb700e
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
AgentTesla Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-