General

  • Target

    comprobante.xlam.xlsx

  • Size

    677KB

  • Sample

    231210-t1yv4shea2

  • MD5

    e80d7b0d84d9813bbc036baf7070b8e2

  • SHA1

    19d8a69fb20ecc14e6b2fc3a48d5781b9a5deece

  • SHA256

    c257a8f4249d22d5f0250b80d0822fa437183f70123d2a7175330f8a34a278cb

  • SHA512

    6c905815e8fe63fe1e926238ec456b842e423cc4817098ef374f1c98645bfbea10c90e5af29d8ee9673bd9357a81dbcfce806579c7c644524eb420713155c858

  • SSDEEP

    12288:LWcIIO6L8S0N5nukjjdIf0166RHf8xvhj+LvweiUeXPlgCwVgXNJi8zlj2fW:LWqLehjjygf8thYvkU6PB

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.siscop.com.co
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    +5s48Ia2&-(t

Targets

    • Target

      comprobante.xlam.xlsx

    • Size

      677KB

    • MD5

      e80d7b0d84d9813bbc036baf7070b8e2

    • SHA1

      19d8a69fb20ecc14e6b2fc3a48d5781b9a5deece

    • SHA256

      c257a8f4249d22d5f0250b80d0822fa437183f70123d2a7175330f8a34a278cb

    • SHA512

      6c905815e8fe63fe1e926238ec456b842e423cc4817098ef374f1c98645bfbea10c90e5af29d8ee9673bd9357a81dbcfce806579c7c644524eb420713155c858

    • SSDEEP

      12288:LWcIIO6L8S0N5nukjjdIf0166RHf8xvhj+LvweiUeXPlgCwVgXNJi8zlj2fW:LWqLehjjygf8thYvkU6PB

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks