General
-
Target
pnlfui.xlsm
-
Size
430KB
-
Sample
230315-cy53zada4v
-
MD5
4b222ff63ba4a27646751b5dadfd3ed7
-
SHA1
4786533018798fbbb3083910b2459a80b3e60258
-
SHA256
37eb0640c85ef74c91b533f1fc7cc1ac9584d648330e105fb37b4231f885576c
-
SHA512
acbfccde01fde8e1ea84d5b7bca67774275f19c5ad4f4b23da340fec651f92998cbbb12937aefd82f9c13d97bb4d3574bf49ad4918d4aebd3f3403266ea7f4a6
-
SSDEEP
12288:HfMXQu7SHOCZhSTIS2dGpeWpqivD1YxR25O8UA:HNwarmMSAGMID1R5OtA
Behavioral task
behavioral1
Sample
pnlfui.xlsm
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
pnlfui.xlsm
Resource
win10v2004-20230220-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
sqsendy.shop - Port:
587 - Username:
[email protected] - Password:
I^l1gJFLlu#v - Email To:
[email protected]
Targets
-
-
Target
pnlfui.xlsm
-
Size
430KB
-
MD5
4b222ff63ba4a27646751b5dadfd3ed7
-
SHA1
4786533018798fbbb3083910b2459a80b3e60258
-
SHA256
37eb0640c85ef74c91b533f1fc7cc1ac9584d648330e105fb37b4231f885576c
-
SHA512
acbfccde01fde8e1ea84d5b7bca67774275f19c5ad4f4b23da340fec651f92998cbbb12937aefd82f9c13d97bb4d3574bf49ad4918d4aebd3f3403266ea7f4a6
-
SSDEEP
12288:HfMXQu7SHOCZhSTIS2dGpeWpqivD1YxR25O8UA:HNwarmMSAGMID1R5OtA
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-