General
-
Target
23122024_0133_fedEx shipping document.xlsx.vbe.gz
-
Size
56KB
-
Sample
241223-bysl7stkgy
-
MD5
51a80e24ec24f515bc378c63bcd6c86d
-
SHA1
66d361b517b8ca6e38bd2cf073a00ccd424aeee8
-
SHA256
7fb38a221927c703a4fa3ad25a37e35b7d86e40b5b38dc941cde01f645faa12a
-
SHA512
7d27282abac9aab0e0de53c0e002356caef047c2adf4a24fe7789aec33dcc295808c8e9ba9f62ab8766ed22e6355537aeaa52ddc46dc50aca1cfa56fbf088749
-
SSDEEP
768:TckOj0rkzQrrabQcNdsr8Pfx3rk7Ka5Piht8xX05+ZJVXdwZrx2tb/syL:SjSkCObDMr4p3r+Ka5nxkgtGx8rsK
Static task
static1
Behavioral task
behavioral1
Sample
fedEx shipping document.xlsx.vbe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
fedEx shipping document.xlsx.vbe
Resource
win10v2004-20241007-en
Malware Config
Extracted
https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg%20
https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg%20
Extracted
agenttesla
https://api.telegram.org/bot6050556352:AAE_-mublQ2CllMbT9xkQVBjSBbdvdYR1kM/
Targets
-
-
Target
fedEx shipping document.xlsx.vbe
-
Size
150KB
-
MD5
48567dd418e419f7719a3269ad3a22c1
-
SHA1
9d69ee9e60a316c98e7a87d90cdbfef4151175c4
-
SHA256
a4f42049afb44ee3a5a075fd716d4a271cc1ed18ec41dc12a076e6f5b79372f0
-
SHA512
a2cb14c886e74fc207035a6cd6598e5d841410d2a2f9603cddab4321417cb3811379be11ab085509afa255a6e6fd9b536ca9d11d17279f16c3c722e48fbd0eee
-
SSDEEP
3072:PZgFwtD6gOsxOinQA8T7IRaZgFwtD6gOsxOinQA8T7ITZgFwtD6gOsxOinQA8T7N:BgwkiOiQLHgwkiOiQLYgwkiOiQLN
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1