General
-
Target
TT Copy.xls
-
Size
381KB
-
Sample
231201-rc414sac84
-
MD5
26beb641321ce859d389a80ccd1416d9
-
SHA1
8a47f46ab9f3ed5fd132cd8f30ece15e6c47cf21
-
SHA256
3c756278503cd67e4ca18fa2acbba31c308153b5801f24b222a42b4b3331c780
-
SHA512
02c1f0b615d33f941d6a8a227fb9845bedbd01eee4a587368b95fb83bcf0ff16b4f9738aa7caaf65a9c7373bb9711e4f504bfc50a7dabf97b54fe1cf26239f5b
-
SSDEEP
6144:hn1m9kdb41yFtrP+9LFRLLckUXWnNFFtx/4pvbS3SF18XpzeHfOSWZJOOeRs5mOG:hOecoFt+LFRSWznxwdQBpKHfIeRKmOr6
Static task
static1
Behavioral task
behavioral1
Sample
TT Copy.xls
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
TT Copy.xls
Resource
win10-20231020-en
Behavioral task
behavioral3
Sample
TT Copy.xls
Resource
win10v2004-20231127-en
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.experthvac.ro - Port:
21 - Username:
[email protected] - Password:
-8{jszMOY*Z8(~Za0#jyP%o7VoB.0)kk^)7_
Targets
-
-
Target
TT Copy.xls
-
Size
381KB
-
MD5
26beb641321ce859d389a80ccd1416d9
-
SHA1
8a47f46ab9f3ed5fd132cd8f30ece15e6c47cf21
-
SHA256
3c756278503cd67e4ca18fa2acbba31c308153b5801f24b222a42b4b3331c780
-
SHA512
02c1f0b615d33f941d6a8a227fb9845bedbd01eee4a587368b95fb83bcf0ff16b4f9738aa7caaf65a9c7373bb9711e4f504bfc50a7dabf97b54fe1cf26239f5b
-
SSDEEP
6144:hn1m9kdb41yFtrP+9LFRLLckUXWnNFFtx/4pvbS3SF18XpzeHfOSWZJOOeRs5mOG:hOecoFt+LFRSWznxwdQBpKHfIeRKmOr6
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-