General

  • Target

    e1b3f274356e15e14aa24e3651b0097ba60c5f91a5a7c6a3884896e11224486f.xlsx

  • Size

    664KB

  • Sample

    240509-l72atafb65

  • MD5

    e6e804e32c278493689f6b0b95d4f78b

  • SHA1

    60ed9b94a5bd3f247b9e401196a9b1f9a41e6429

  • SHA256

    e1b3f274356e15e14aa24e3651b0097ba60c5f91a5a7c6a3884896e11224486f

  • SHA512

    4438cda3ba381f62fb7cc131e3e52049d06d3169b193b4996474c225697f22d2cebba5a97ee319def34b9fdc21ee507d09519698c13423b761feb9149fb4a659

  • SSDEEP

    12288:ltnW2oFEWBZXOy4tr0WETIfR1RN0/CSuo9dBPdcAlppBVP208:zW2ielQWCIfr0JZpdjpBNv8

Malware Config

Targets

    • Target

      e1b3f274356e15e14aa24e3651b0097ba60c5f91a5a7c6a3884896e11224486f.xlsx

    • Size

      664KB

    • MD5

      e6e804e32c278493689f6b0b95d4f78b

    • SHA1

      60ed9b94a5bd3f247b9e401196a9b1f9a41e6429

    • SHA256

      e1b3f274356e15e14aa24e3651b0097ba60c5f91a5a7c6a3884896e11224486f

    • SHA512

      4438cda3ba381f62fb7cc131e3e52049d06d3169b193b4996474c225697f22d2cebba5a97ee319def34b9fdc21ee507d09519698c13423b761feb9149fb4a659

    • SSDEEP

      12288:ltnW2oFEWBZXOy4tr0WETIfR1RN0/CSuo9dBPdcAlppBVP208:zW2ielQWCIfr0JZpdjpBNv8

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Detect ZGRat V1

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks