General

  • Target

    dd1d7116641dba5c1af7958b71bfe24c2d60a8a7639326ebeb7fdd113d8a91c7.xlsx

  • Size

    675KB

  • Sample

    240518-kz8jgscg77

  • MD5

    28d42cae4cee28cfa37c450041dc4e7e

  • SHA1

    b539443d52f649b6ab0a1780d8105a253a24c6b7

  • SHA256

    dd1d7116641dba5c1af7958b71bfe24c2d60a8a7639326ebeb7fdd113d8a91c7

  • SHA512

    a680bff52a0f788cbc758d0edd31fd97ea5b1c242b8e1c1c8f27a626cacf02a155c1cb51f74227a3ad8631b4373ba353d9d61b8888dcae4c038877ddea2f5135

  • SSDEEP

    12288:XKnWYE+vtlNhMRfrVIZQkwQ6P+bokESb2AgfdBEdR3/MpFkpeejonOMBKZcn:aV5hMRfrVeQTQ6wHEjYR3EDk0O8Kyn

Malware Config

Targets

    • Target

      dd1d7116641dba5c1af7958b71bfe24c2d60a8a7639326ebeb7fdd113d8a91c7.xlsx

    • Size

      675KB

    • MD5

      28d42cae4cee28cfa37c450041dc4e7e

    • SHA1

      b539443d52f649b6ab0a1780d8105a253a24c6b7

    • SHA256

      dd1d7116641dba5c1af7958b71bfe24c2d60a8a7639326ebeb7fdd113d8a91c7

    • SHA512

      a680bff52a0f788cbc758d0edd31fd97ea5b1c242b8e1c1c8f27a626cacf02a155c1cb51f74227a3ad8631b4373ba353d9d61b8888dcae4c038877ddea2f5135

    • SSDEEP

      12288:XKnWYE+vtlNhMRfrVIZQkwQ6P+bokESb2AgfdBEdR3/MpFkpeejonOMBKZcn:aV5hMRfrVeQTQ6wHEjYR3EDk0O8Kyn

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks