General
-
Target
Order8524252.xlsm
-
Size
72KB
-
Sample
200630-rgrmlpgq6n
-
MD5
f41acbed47044b2588718f457ef8bf2b
-
SHA1
b85e29bed6977c1d689b057d548882e7058f2648
-
SHA256
0eebca5c4174eecc1f3f8066db7dcafaf96d9d89914617cac3c5ba925010abee
-
SHA512
dea10f3ea04673b293727780d2d36283c1faecf0f90874c7c5b1c3687ddd722c2a87fad2f6e77805f2ed23ef1e34065c96096745278b0e4439e84d871200fa56
Static task
static1
Behavioral task
behavioral1
Sample
Order8524252.xlsm
Resource
win7v200430
Behavioral task
behavioral2
Sample
Order8524252.xlsm
Resource
win10
Malware Config
Extracted
http://k0pla.com/order587458.exe
Targets
-
-
Target
Order8524252.xlsm
-
Size
72KB
-
MD5
f41acbed47044b2588718f457ef8bf2b
-
SHA1
b85e29bed6977c1d689b057d548882e7058f2648
-
SHA256
0eebca5c4174eecc1f3f8066db7dcafaf96d9d89914617cac3c5ba925010abee
-
SHA512
dea10f3ea04673b293727780d2d36283c1faecf0f90874c7c5b1c3687ddd722c2a87fad2f6e77805f2ed23ef1e34065c96096745278b0e4439e84d871200fa56
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blacklisted process makes network request
-
Executes dropped EXE
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext
-