Overview

overview

10

Static

static

1

302814Q.xlam

windows7-x64

10

302814Q.xlam

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    302814Q.xlam

  • Size

    684KB

  • Sample

    240328-h1zxmafc3y

  • MD5

    dd1745650a50384acb3e3d18f640f6ae

  • SHA1

    aa7c92503314baf176c6972fb0e9eb69eeac8ce7

  • SHA256

    777ffc7e8f61be4b407f8acf15f6338d6a299c8fa89284c62528b0c00d443ae1

  • SHA512

    d4a6e8f1e861a236898fcb41c15e7013263f7acb7e22f9f15c00661d4c4a91712c004c3dbe955bd9d98a9558a6818d6c2659af750ef28e42be43ed832d09dc01

  • SSDEEP

    12288:ninWwmPuLCPZs6cygqu3EYgH0eDpTjyLEu3oJDyIaj5LiuR:irCPkyzYgH0iwAu4J1uR

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      302814Q.xlam

    • Size

      684KB

    • MD5

      dd1745650a50384acb3e3d18f640f6ae

    • SHA1

      aa7c92503314baf176c6972fb0e9eb69eeac8ce7

    • SHA256

      777ffc7e8f61be4b407f8acf15f6338d6a299c8fa89284c62528b0c00d443ae1

    • SHA512

      d4a6e8f1e861a236898fcb41c15e7013263f7acb7e22f9f15c00661d4c4a91712c004c3dbe955bd9d98a9558a6818d6c2659af750ef28e42be43ed832d09dc01

    • SSDEEP

      12288:ninWwmPuLCPZs6cygqu3EYgH0eDpTjyLEu3oJDyIaj5LiuR:irCPkyzYgH0iwAu4J1uR

    Score
    10/10
    agentteslacollectionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks