General

  • Target

    23122024_0133_fedEx shipping document.xlsx.vbe.gz

  • Size

    56KB

  • Sample

    241223-bysl7stkgy

  • MD5

    51a80e24ec24f515bc378c63bcd6c86d

  • SHA1

    66d361b517b8ca6e38bd2cf073a00ccd424aeee8

  • SHA256

    7fb38a221927c703a4fa3ad25a37e35b7d86e40b5b38dc941cde01f645faa12a

  • SHA512

    7d27282abac9aab0e0de53c0e002356caef047c2adf4a24fe7789aec33dcc295808c8e9ba9f62ab8766ed22e6355537aeaa52ddc46dc50aca1cfa56fbf088749

  • SSDEEP

    768:TckOj0rkzQrrabQcNdsr8Pfx3rk7Ka5Piht8xX05+ZJVXdwZrx2tb/syL:SjSkCObDMr4p3r+Ka5nxkgtGx8rsK

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg%20

exe.dropper

https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg%20

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot6050556352:AAE_-mublQ2CllMbT9xkQVBjSBbdvdYR1kM/

Targets

    • Target

      fedEx shipping document.xlsx.vbe

    • Size

      150KB

    • MD5

      48567dd418e419f7719a3269ad3a22c1

    • SHA1

      9d69ee9e60a316c98e7a87d90cdbfef4151175c4

    • SHA256

      a4f42049afb44ee3a5a075fd716d4a271cc1ed18ec41dc12a076e6f5b79372f0

    • SHA512

      a2cb14c886e74fc207035a6cd6598e5d841410d2a2f9603cddab4321417cb3811379be11ab085509afa255a6e6fd9b536ca9d11d17279f16c3c722e48fbd0eee

    • SSDEEP

      3072:PZgFwtD6gOsxOinQA8T7IRaZgFwtD6gOsxOinQA8T7ITZgFwtD6gOsxOinQA8T7N:BgwkiOiQLHgwkiOiQLYgwkiOiQLN

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Agenttesla family

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks