General

  • Target

    Invoice and Packing list.doc

  • Size

    30KB

  • Sample

    230328-g141xahc79

  • MD5

    685c4cd21e27467ff893f2f5365ef566

  • SHA1

    25ca8c8ef3c305d207367bbe15f7625fd1e236e2

  • SHA256

    7af5cf2c2851627fffce58f36ad4eaa1b95f87eec61c206d043d916d12b3d36b

  • SHA512

    7c43e0266c36df87296257a1fb6d93265e5a3d4891b122e35936deade7d83a118533efbb2b653f0184da4bddf0709053c166fd4c6a15cc1a31f3f4c20b7860f6

  • SSDEEP

    768:8Fx0XaIsnPRIa4fwJMSGxwxkQvC1yOZ5o7fLIQR:8f0Xvx3EMCxkQveQrjR

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.valvulasthermovalve.cl
  • Port:
    21
  • Username:
    cva19491@valvulasthermovalve.cl
  • Password:
    LILKOOLL14!!

Targets

    • Target

      Invoice and Packing list.doc

    • Size

      30KB

    • MD5

      685c4cd21e27467ff893f2f5365ef566

    • SHA1

      25ca8c8ef3c305d207367bbe15f7625fd1e236e2

    • SHA256

      7af5cf2c2851627fffce58f36ad4eaa1b95f87eec61c206d043d916d12b3d36b

    • SHA512

      7c43e0266c36df87296257a1fb6d93265e5a3d4891b122e35936deade7d83a118533efbb2b653f0184da4bddf0709053c166fd4c6a15cc1a31f3f4c20b7860f6

    • SSDEEP

      768:8Fx0XaIsnPRIa4fwJMSGxwxkQvC1yOZ5o7fLIQR:8f0Xvx3EMCxkQveQrjR

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Exploitation for Client Execution

1
T1203

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Tasks