General

  • Target

    Package.xls

  • Size

    391KB

  • Sample

    231207-y52vsafd34

  • MD5

    3e33c8cf5b3ce2fa86f1b0ab22d2d3c2

  • SHA1

    de4c28fc5c4eab8c71b09830ff295b901be6a844

  • SHA256

    7712b3d4b61189ccbafdbcc285b7a761d517bb68295626e30c33c24c38fb95cd

  • SHA512

    0ef6016a7e6d0a45d9358ee21ddacea1b0aa393f276dadc32f3218c89f41fbea9ac765b5127c60cc8c069eb26ee52ffb740d0a7eb2af6ccf20a68e7740852354

  • SSDEEP

    6144:ln1m9kdbQS6vsB3qfLWnNnBkbE9UX3yhnpC3quvmb6SrnV3LYpMMAI:lOeuvsB351Bkr3yh9b9hr

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.experthvac.ro
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    -8{jszMOY*Z8(~Za0#jyP%o7VoB.0)kk^)7_

Targets

    • Target

      Package.xls

    • Size

      391KB

    • MD5

      3e33c8cf5b3ce2fa86f1b0ab22d2d3c2

    • SHA1

      de4c28fc5c4eab8c71b09830ff295b901be6a844

    • SHA256

      7712b3d4b61189ccbafdbcc285b7a761d517bb68295626e30c33c24c38fb95cd

    • SHA512

      0ef6016a7e6d0a45d9358ee21ddacea1b0aa393f276dadc32f3218c89f41fbea9ac765b5127c60cc8c069eb26ee52ffb740d0a7eb2af6ccf20a68e7740852354

    • SSDEEP

      6144:ln1m9kdbQS6vsB3qfLWnNnBkbE9UX3yhnpC3quvmb6SrnV3LYpMMAI:lOeuvsB351Bkr3yh9b9hr

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Abuses OpenXML format to download file from external location

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks