General
-
Target
Order1040258.xlsm
-
Size
431KB
-
Sample
220630-ta2jbaccgp
-
MD5
a7a4f3a4aa943e3bd5e78789cec486d6
-
SHA1
6bc828610e03758ea7121983b9e281b8e8b6fb47
-
SHA256
7933ad4edab82e52f977bc9623aa7b24f63ac959efbf1cd5c8ecf73a4207b9c1
-
SHA512
863820cc0e7cabbf18653ebda72bc2357624257f29f886a3f06c8fec4a53cf0f309117467c92a7da929d51d01f3eed1dac328301621224ed8cf28807afa92445
Static task
static1
Behavioral task
behavioral1
Sample
Order1040258.xlsm
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Order1040258.xlsm
Resource
win10v2004-20220414-en
Malware Config
Extracted
agenttesla
http://136.144.41.76/bray/inc/a4a9ffb236214a.php
Extracted
asyncrat
0.5.7B
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
127.0.0.1:1111
62.197.136.167:6606
62.197.136.167:7707
62.197.136.167:8808
62.197.136.167:1111
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Targets
-
-
Target
Order1040258.xlsm
-
Size
431KB
-
MD5
a7a4f3a4aa943e3bd5e78789cec486d6
-
SHA1
6bc828610e03758ea7121983b9e281b8e8b6fb47
-
SHA256
7933ad4edab82e52f977bc9623aa7b24f63ac959efbf1cd5c8ecf73a4207b9c1
-
SHA512
863820cc0e7cabbf18653ebda72bc2357624257f29f886a3f06c8fec4a53cf0f309117467c92a7da929d51d01f3eed1dac328301621224ed8cf28807afa92445
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
suricata: ET MALWARE AgentTesla Communicating with CnC Server
suricata: ET MALWARE AgentTesla Communicating with CnC Server
-
suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
-
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
-
Async RAT payload
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-