Loading ...

Play interactive tourEdit tour

Analysis Report https://cdn.discordapp.com/attachments/724758155267145849/725523453461004328/TNT_DOCUMENT_xlsx.lzh

Overview

General Information

Sample URL:https://cdn.discordapp.com/attachments/724758155267145849/725523453461004328/TNT_DOCUMENT_xlsx.lzh

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Sigma detected: Add file from suspicious location to autostart registry
Yara detected AgentTesla
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Creates an autostart registry key pointing to binary in C:\Windows
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Contains long sleeps (>= 3 min)