General

  • Target

    PO_Copy.xls

  • Size

    392KB

  • Sample

    231208-l2c12aae39

  • MD5

    c53132c26ed5a87968bd23ff41c485ba

  • SHA1

    01b1a3c676dbc370fb1916ef17f9bb0309d5b966

  • SHA256

    02e273a2f40b1a10f15b08d4dee9356f778a82ee48dc9bad878fb4d789d01431

  • SHA512

    5a09beb5a19c3be45f22e3e7e5e88fbabca1790ede5f38867d1976ce9017ca670797ae8c180666b0e4332803f01e3219f70727915f71507b5bf350f66d17d304

  • SSDEEP

    6144:Cn1m9kdb/PpeZHVl3S4qQygZpuUXI+FzkEM3Kajs5yiIIrjj5vQDwMm4EHnO:COeDuni5XgZTI+eEuKGiIIryDLm42

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.experthvac.ro
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    -8{jszMOY*Z8(~Za0#jyP%o7VoB.0)kk^)7_

Targets

    • Target

      PO_Copy.xls

    • Size

      392KB

    • MD5

      c53132c26ed5a87968bd23ff41c485ba

    • SHA1

      01b1a3c676dbc370fb1916ef17f9bb0309d5b966

    • SHA256

      02e273a2f40b1a10f15b08d4dee9356f778a82ee48dc9bad878fb4d789d01431

    • SHA512

      5a09beb5a19c3be45f22e3e7e5e88fbabca1790ede5f38867d1976ce9017ca670797ae8c180666b0e4332803f01e3219f70727915f71507b5bf350f66d17d304

    • SSDEEP

      6144:Cn1m9kdb/PpeZHVl3S4qQygZpuUXI+FzkEM3Kajs5yiIIrjj5vQDwMm4EHnO:COeDuni5XgZTI+eEuKGiIIryDLm42

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Abuses OpenXML format to download file from external location

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks