SHIPPING DOCUMENT.xlsx

General
Target

SHIPPING DOCUMENT.xlsx

Size

587KB

Sample

210915-hx8qcsdbbj

Score
10 /10
MD5

8d888bf7f0fbf737dcb6f62f58d9c00e

SHA1

5d8acca52c259e714e4e28a9e6ea3a36f5eb108f

SHA256

3368451d206d750382c2ff4c823c3a0f95952e2ce86e7fdde7b4c3e1d4d5c75b

SHA512

ec7e95b51f72ac8182859edffe4ea68ea18d2e6c93df5ab9d850fdb63d3494fdf6eabe75c30a1ff07a5df5f99cc9eb076691fbfb70a0d84f0a16a57c9e05ab96

Malware Config

Extracted

Family agenttesla
Credentials

Protocol: smtp

Host: smtp.ccsp-india.com

Port: 587

Username: jayamurugan@ccsp-india.com

Password: Lkp$CcsP1008

Targets
Target

SHIPPING DOCUMENT.xlsx

MD5

8d888bf7f0fbf737dcb6f62f58d9c00e

Filesize

587KB

Score
10 /10
SHA1

5d8acca52c259e714e4e28a9e6ea3a36f5eb108f

SHA256

3368451d206d750382c2ff4c823c3a0f95952e2ce86e7fdde7b4c3e1d4d5c75b

SHA512

ec7e95b51f72ac8182859edffe4ea68ea18d2e6c93df5ab9d850fdb63d3494fdf6eabe75c30a1ff07a5df5f99cc9eb076691fbfb70a0d84f0a16a57c9e05ab96

Tags

Signatures

  • AgentTesla

    Description

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    Tags

  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    Description

    suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    Tags

  • AgentTesla Payload

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads data files stored by FTP clients

    Description

    Tries to access configuration files associated with programs like FileZilla.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Reads user/profile data of local email clients

    Description

    Email clients store some user data on disk where infostealers will often target it.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Uses the VBS compiler for execution

    TTPs

    Scripting
  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Exfiltration
      Impact
        Initial Access
          Lateral Movement
            Persistence
              Privilege Escalation
                Tasks

                static1

                behavioral2

                1/10