General
-
Target
PO_Copy.xls
-
Size
392KB
-
Sample
231208-l2c12aae39
-
MD5
c53132c26ed5a87968bd23ff41c485ba
-
SHA1
01b1a3c676dbc370fb1916ef17f9bb0309d5b966
-
SHA256
02e273a2f40b1a10f15b08d4dee9356f778a82ee48dc9bad878fb4d789d01431
-
SHA512
5a09beb5a19c3be45f22e3e7e5e88fbabca1790ede5f38867d1976ce9017ca670797ae8c180666b0e4332803f01e3219f70727915f71507b5bf350f66d17d304
-
SSDEEP
6144:Cn1m9kdb/PpeZHVl3S4qQygZpuUXI+FzkEM3Kajs5yiIIrjj5vQDwMm4EHnO:COeDuni5XgZTI+eEuKGiIIryDLm42
Static task
static1
Behavioral task
behavioral1
Sample
PO_Copy.xls
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
PO_Copy.xls
Resource
win10v2004-20231127-en
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.experthvac.ro - Port:
21 - Username:
[email protected] - Password:
-8{jszMOY*Z8(~Za0#jyP%o7VoB.0)kk^)7_
Targets
-
-
Target
PO_Copy.xls
-
Size
392KB
-
MD5
c53132c26ed5a87968bd23ff41c485ba
-
SHA1
01b1a3c676dbc370fb1916ef17f9bb0309d5b966
-
SHA256
02e273a2f40b1a10f15b08d4dee9356f778a82ee48dc9bad878fb4d789d01431
-
SHA512
5a09beb5a19c3be45f22e3e7e5e88fbabca1790ede5f38867d1976ce9017ca670797ae8c180666b0e4332803f01e3219f70727915f71507b5bf350f66d17d304
-
SSDEEP
6144:Cn1m9kdb/PpeZHVl3S4qQygZpuUXI+FzkEM3Kajs5yiIIrjj5vQDwMm4EHnO:COeDuni5XgZTI+eEuKGiIIryDLm42
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-