General

  • Target

    Αντίγραφο πληρωμής _ MEDICAL PQ S.A..doc

  • Size

    146KB

  • Sample

    231208-pv285aec71

  • MD5

    08af4d55a8cf8e665638fbf68a0605fc

  • SHA1

    b29890c616bf85ece88051d4fc9972a3091dfb74

  • SHA256

    8d29e2a6c7bd4e925af3c4e744bdc432889948197bf8689920876ecb57b62c52

  • SHA512

    0fb8b4b84a735c6b58a00a8f8d7b8c25315f7c064f6d1fc7b5188e09161139ea55ded481c44c16531b6bdce410df4bf4844f69ca4fba065dd94b520a0e6c2c05

  • SSDEEP

    768:zwAbZSibMX9gRWjtwAbZSibMX9gRWjXp8+hxmXiQE+REJxT:zwAlRkwAlRii+hwXi9+REXT

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      Αντίγραφο πληρωμής _ MEDICAL PQ S.A..doc

    • Size

      146KB

    • MD5

      08af4d55a8cf8e665638fbf68a0605fc

    • SHA1

      b29890c616bf85ece88051d4fc9972a3091dfb74

    • SHA256

      8d29e2a6c7bd4e925af3c4e744bdc432889948197bf8689920876ecb57b62c52

    • SHA512

      0fb8b4b84a735c6b58a00a8f8d7b8c25315f7c064f6d1fc7b5188e09161139ea55ded481c44c16531b6bdce410df4bf4844f69ca4fba065dd94b520a0e6c2c05

    • SSDEEP

      768:zwAbZSibMX9gRWjtwAbZSibMX9gRWjXp8+hxmXiQE+REJxT:zwAlRkwAlRii+hwXi9+REXT

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks