General
-
Target
PO.xls
-
Size
192KB
-
Sample
230328-v64tzsdh51
-
MD5
420442e8c24f90d1cf29579b6c4de21a
-
SHA1
128890d9359087fd3efcbade23d92a2ea77a9827
-
SHA256
031ca9695c177f7f51b25e2b4b7f170929df5aa750fae46cb70aaab0f65dfe32
-
SHA512
6749bfceefa9aebc0ef139ace1058de076e4eac071c0544383fa60b9fd23ee383be0b63221a8969bc65cc9a9cccae709b47ec77a2236a81ad9c9a8988efad0c2
-
SSDEEP
3072:Tl7aN3JkKXiDPcp5jw5OZfZ+RwPONXoRjDhIcp0fDlaGGx+cL26nA+r3vZVgAjVx:TpaFJkKXiDU7w5O5Z+RwPONXoRjDhIc3
Static task
static1
Behavioral task
behavioral1
Sample
PO.xls
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
PO.xls
Resource
win10v2004-20230220-en
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot2134979594:AAFk4QkrlHlt2a-q-EhIoHZBbzxSH0QxiBI/
Targets
-
-
Target
PO.xls
-
Size
192KB
-
MD5
420442e8c24f90d1cf29579b6c4de21a
-
SHA1
128890d9359087fd3efcbade23d92a2ea77a9827
-
SHA256
031ca9695c177f7f51b25e2b4b7f170929df5aa750fae46cb70aaab0f65dfe32
-
SHA512
6749bfceefa9aebc0ef139ace1058de076e4eac071c0544383fa60b9fd23ee383be0b63221a8969bc65cc9a9cccae709b47ec77a2236a81ad9c9a8988efad0c2
-
SSDEEP
3072:Tl7aN3JkKXiDPcp5jw5OZfZ+RwPONXoRjDhIcp0fDlaGGx+cL26nA+r3vZVgAjVx:TpaFJkKXiDU7w5O5Z+RwPONXoRjDhIc3
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-