Loading... Additional Content is being loaded
Windows
Analysis Report
Order Request1_5_24.xlam.xlsx
Overview
General Information
| Sample name: | Order Request1_5_24.xlam.xlsx |
| Analysis ID: | 1435095 |
| MD5: | 8216d3088f8358388dfcbdc7026f2ea1 |
| SHA1: | 3040eaecd169f745eae12c30652eebc676c3f234 |
| SHA256: | 37d95e56ed2ab7dbaeae0f8afad3d94ffd9286dee2447ad631b52ecd84a4f47a |
| Tags: | AgentTeslaxlamxlsx |
| Infos: |   |
 |
|
Detection
AgentTesla, PureLog Stealer, RedLine
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Yara detected AgentTesla
Yara detected PureLog Stealer
Yara detected RedLine Stealer
.NET source code contains method to dynamically call methods (often used by packers)
Binary is likely a compiled AutoIt script file
Contains functionality to log keystrokes (.Net Source)
Document exploit detected (process start blacklist hit)
Found API chain indicative of sandbox detection
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Office equation editor drops PE file
Office equation editor establishes network connection
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Shellcode detected
Sigma detected: Equation Editor Network Connection
Sigma detected: Suspicious Binary In User Directory Spawned From Office Application
Sigma detected: Suspicious Microsoft Office Child Process
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document misses a certain OLE stream usually present in this Microsoft Office document type
Downloads executable code via HTTP
Drops PE files
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Office Equation Editor has been started
Potential key logger detected (key state polling based)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match
Classification
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Agent Tesla, AgentTesla | A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel. |
|
|
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| RedLine Stealer | RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. | No Attribution |
|
AV Detection |
  |
|---|
| Source: |
Avira: |
||
| Source: |
Malware Configuration Extractor: |
||
| Source: |
Virustotal: |
Perma Link | ||
| Source: |
ReversingLabs: |
||
| Source: |
Virustotal: |
Perma Link | ||
| Source: |
ReversingLabs: |
|||
| Source: |
Joe Sandbox ML: |
||
Exploits |
|
|---|
| Source: |
Network connect: |
Jump to behavior | ||
| Source: |
Process created: |
|||
| Source: |
Process created: |
Jump to behavior | ||
| Source: |
Process created: |
||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
| Source: |
Code function: |
3_2_00C0DBBE | |
| Source: |
Code function: |
3_2_00BDC2A2 | |
| Source: |
Code function: |
3_2_00C168EE | |
| Source: |
Code function: |
3_2_00C1698F | |
| Source: |
Code function: |
3_2_00C0D076 | |
| Source: |
Code function: |
3_2_00C0D3A9 | |
| Source: |
Code function: |
3_2_00C19642 | |
| Source: |
Code function: |
3_2_00C1979D | |
| Source: |
Code function: |
3_2_00C19B2B | |
| Source: |
Code function: |
3_2_00C15C97 | |
Software Vulnerabilities |
|
|---|
| Source: |
Process created: |
||
| Source: |
Code function: |
2_2_035206C1 | |
| Source: |
Code function: |
2_2_03520661 | |
| Source: |
Code function: |
2_2_03520867 | |
| Source: |
Code function: |
2_2_0352070D | |
| Source: |
Code function: |
2_2_035207B4 | |
| Source: |
Code function: |
2_2_0352062A | |
| Source: |
Code function: |
2_2_03520729 | |
| Source: |
Code function: |
2_2_0352075A | |
| Source: |
Code function: |
2_2_035205DE | |
| Source: |
Code function: |
2_2_03520776 | |
| Source: |
Code function: |
2_2_03520617 | |
| Source: |
Code function: |
2_2_0352079A | |
| Source: |
Code function: |
2_2_0352059B | |
| Source: |
Code function: |
2_2_03520582 | |
| Source: |
Code function: |
2_2_03520887 | |
| Source: |
Code function: |
2_2_035205B7 | |
| Source: |
HTTP traffic detected: | ||