Overview

overview

10

Static

static

1

NEW ORDER.xls

windows7-x64

10

NEW ORDER.xls

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    NEW ORDER.xls

  • Size

    1.7MB

  • Sample

    230801-mtd4ssgd6s

  • MD5

    345dc5533c4c20b89d20e75aff3023fe

  • SHA1

    d05b645116d0ee6806fb9e4026220aac3e0709bd

  • SHA256

    7332e56b52d0993782b3e13e6ebcfb45d6fdb7367e46a3eafe1bae387817ccef

  • SHA512

    d140bf41d169e12539437ca7a0e1e97c64d0059d2d3112a280d8e862a35a5f1c61b68df94b3b0fe374824b33ac83dfe65be9c2d1241ffbfdc583be7060bdaaf7

  • SSDEEP

    49152:tQmmQ30kupp6VNQmmQ308556V8iNhv3tBfXCnSgk6+iv:tpmQkkamNpmQkOm8MhrCA6

Score
10/10
agentteslakeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      NEW ORDER.xls

    • Size

      1.7MB

    • MD5

      345dc5533c4c20b89d20e75aff3023fe

    • SHA1

      d05b645116d0ee6806fb9e4026220aac3e0709bd

    • SHA256

      7332e56b52d0993782b3e13e6ebcfb45d6fdb7367e46a3eafe1bae387817ccef

    • SHA512

      d140bf41d169e12539437ca7a0e1e97c64d0059d2d3112a280d8e862a35a5f1c61b68df94b3b0fe374824b33ac83dfe65be9c2d1241ffbfdc583be7060bdaaf7

    • SSDEEP

      49152:tQmmQ30kupp6VNQmmQ308556V8iNhv3tBfXCnSgk6+iv:tpmQkkamNpmQkOm8MhrCA6

    Score
    10/10
    agentteslakeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks