General
-
Target
DC-330NC.xlsx
-
Size
228KB
-
Sample
211202-krmbaadeem
-
MD5
a5ca1f78702e99f9a90f20a93696e4a7
-
SHA1
b6832ff73a8b940241ab0436996d0db5d2e82839
-
SHA256
50062c8d61b8fc4e1cdf55d30bf574c0ec9e616d1c6b245927266a1bce98beb8
-
SHA512
1d6305e34fcb4e6d803f55606506ca458a60583b2276e50696e7c1aa6c5fa8f8dc9818e85ff14d6194a75d1bf4c59e5f2c0e9f7d012961fde214a3b91fe20a9e
Static task
static1
Behavioral task
behavioral1
Sample
DC-330NC.xlsx
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
DC-330NC.xlsx
Resource
win10-en-20211014
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.1and1.it - Port:
587 - Username:
[email protected] - Password:
Valico07*
Targets
-
-
Target
DC-330NC.xlsx
-
Size
228KB
-
MD5
a5ca1f78702e99f9a90f20a93696e4a7
-
SHA1
b6832ff73a8b940241ab0436996d0db5d2e82839
-
SHA256
50062c8d61b8fc4e1cdf55d30bf574c0ec9e616d1c6b245927266a1bce98beb8
-
SHA512
1d6305e34fcb4e6d803f55606506ca458a60583b2276e50696e7c1aa6c5fa8f8dc9818e85ff14d6194a75d1bf4c59e5f2c0e9f7d012961fde214a3b91fe20a9e
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Modifies WinLogon for persistence
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
AgentTesla Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-