Overview

overview

10

Static

static

1

Order PB2E...Z .xls

windows7-x64

10

Order PB2E...Z .xls

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Order PB2EFLPWIRTFGBD2Z .xls

  • Size

    1.0MB

  • Sample

    230329-xhg2eshe32

  • MD5

    a864acb83b3a238490b5019c40695ee6

  • SHA1

    813dcac587b12d1b197772493ad1ba521bdf7992

  • SHA256

    d79dbb236bd0f95b5fc44b696c7dc098b42519931778080040a73b9eaf57ee86

  • SHA512

    340d6bdad0494baa89a08d1c6923d112928734f1f3fea8eb74ea3088a5a4fe17f4395f463ea5c395e6523900dddeeaff13a1afc96ad0c7fd219b148b3dea63d3

  • SSDEEP

    24576:oLK3SSMMednEwakAmmjmRakAmmjmF+MXUK3eT2222222222222222222222i2LN:oLKBM7aaoeaaoW+MXih

Score
10/10
agentteslapurecryptercollectiondownloaderkeyloggerloaderspywarestealertrojan

Malware Config

Extracted

Family

purecrypter

C2

http://192.3.215.60/uo7/Zkbscbhcbcv.png

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      Order PB2EFLPWIRTFGBD2Z .xls

    • Size

      1.0MB

    • MD5

      a864acb83b3a238490b5019c40695ee6

    • SHA1

      813dcac587b12d1b197772493ad1ba521bdf7992

    • SHA256

      d79dbb236bd0f95b5fc44b696c7dc098b42519931778080040a73b9eaf57ee86

    • SHA512

      340d6bdad0494baa89a08d1c6923d112928734f1f3fea8eb74ea3088a5a4fe17f4395f463ea5c395e6523900dddeeaff13a1afc96ad0c7fd219b148b3dea63d3

    • SSDEEP

      24576:oLK3SSMMednEwakAmmjmRakAmmjmF+MXUK3eT2222222222222222222222i2LN:oLKBM7aaoeaaoW+MXih

    Score
    10/10
    agentteslapurecryptercollectiondownloaderkeyloggerloaderspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • PureCrypter

      PureCrypter is a .NET malware loader first seen in early 2021.

      loaderdownloaderpurecrypter

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook profiles

      collection

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

3
T1012

Lateral Movement

Collection

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks