General
-
Target
PO PENANG ORDER C0023.xlsx
-
Size
229KB
-
Sample
211124-wdgdnageg8
-
MD5
17ddfdbca81f6c8214406720867549f0
-
SHA1
1bf9c02f6aaeb9603b030717517b1f64cec5099b
-
SHA256
0d407a8cd27641e63ee9b446bc3128a91433a6bebc4f37ee11779a9faf94a655
-
SHA512
22880714ea730835dce71099f8eef4426d768be364f0f07e1aaec03940706fd29dc165d7d734b947e94a194c7e2aeeee3d70e89d297dbc0c00a52c9114622286
Static task
static1
Behavioral task
behavioral1
Sample
PO PENANG ORDER C0023.xlsx
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
PO PENANG ORDER C0023.xlsx
Resource
win10-en-20211014
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.turbo-mech.co.id - Port:
587 - Username:
sales@turbo-mech.co.id - Password:
7urb0m3ch
Targets
-
-
Target
PO PENANG ORDER C0023.xlsx
-
Size
229KB
-
MD5
17ddfdbca81f6c8214406720867549f0
-
SHA1
1bf9c02f6aaeb9603b030717517b1f64cec5099b
-
SHA256
0d407a8cd27641e63ee9b446bc3128a91433a6bebc4f37ee11779a9faf94a655
-
SHA512
22880714ea730835dce71099f8eef4426d768be364f0f07e1aaec03940706fd29dc165d7d734b947e94a194c7e2aeeee3d70e89d297dbc0c00a52c9114622286
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect Neshta Payload
-
Modifies system executable filetype association
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
AgentTesla Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-