General

  • Target

    16015107.xlam

  • Size

    12KB

  • Sample

    200709-1jescq39mj

  • MD5

    db3b7d4cfb134c5ad4c74891e23c06e4

  • SHA1

    b78856ac0597b12d2befe6ebb055082632529a71

  • SHA256

    2e6f88c4dc2322c385d506a81b5127f4361cb824389315d4dbb100e959c8fbc0

  • SHA512

    2266ab432712b2a9d4a744bcf0ac852e5573a00fe114c5378bd1e8a87355a6038efc32c38738ea7edb64eb8236458dbfdbc4cadfa84ccef196c20a8f0b153a00

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://shopcart.indbytes.com/cig/16015107.jpg

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    550fsjftg@-=)

Targets

    • Target

      16015107.xlam

    • Size

      12KB

    • MD5

      db3b7d4cfb134c5ad4c74891e23c06e4

    • SHA1

      b78856ac0597b12d2befe6ebb055082632529a71

    • SHA256

      2e6f88c4dc2322c385d506a81b5127f4361cb824389315d4dbb100e959c8fbc0

    • SHA512

      2266ab432712b2a9d4a744bcf0ac852e5573a00fe114c5378bd1e8a87355a6038efc32c38738ea7edb64eb8236458dbfdbc4cadfa84ccef196c20a8f0b153a00

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blacklisted process makes network request

    • Executes dropped EXE

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

MITRE ATT&CK Enterprise v6

Tasks