General

  • Target

    orden de compra.xla

  • Size

    391KB

  • Sample

    231207-t9qk4ade83

  • MD5

    060f999d180fb2c37059815ebd76e38e

  • SHA1

    605c01289d5b683a3d5b5eb17ebef72bfc388f91

  • SHA256

    ac07988ba9649741c59d16698f8c33295b3ff7943eeccbafe6f988e3e3c10908

  • SHA512

    a4449aa855a6426106516bf11499902f402ed4589fa7f11e628fec9efbcd6b8a6fcabdfb02d2fe3bf20a41889c734538e77194a011112b4dc06ae94e6b9c066e

  • SSDEEP

    6144:Vn1m9kdbXgb8y3ZetJs0hdMJUXTdU5u/LbquQFBql4yUhNttSMS6EgU0rh:VOesblwtqSdLTdoaNQO6hQX+h

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.siscop.com.co
  • Port:
    21
  • Username:
    pedophile@siscop.com.co
  • Password:
    +5s48Ia2&-(t

Targets

    • Target

      orden de compra.xla

    • Size

      391KB

    • MD5

      060f999d180fb2c37059815ebd76e38e

    • SHA1

      605c01289d5b683a3d5b5eb17ebef72bfc388f91

    • SHA256

      ac07988ba9649741c59d16698f8c33295b3ff7943eeccbafe6f988e3e3c10908

    • SHA512

      a4449aa855a6426106516bf11499902f402ed4589fa7f11e628fec9efbcd6b8a6fcabdfb02d2fe3bf20a41889c734538e77194a011112b4dc06ae94e6b9c066e

    • SSDEEP

      6144:Vn1m9kdbXgb8y3ZetJs0hdMJUXTdU5u/LbquQFBql4yUhNttSMS6EgU0rh:VOesblwtqSdLTdoaNQO6hQX+h

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Abuses OpenXML format to download file from external location

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Matrix ATT&CK v13

Execution

Exploitation for Client Execution

1
T1203

Defense Evasion

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

3
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

2
T1005

Tasks