General

  • Target

    MT. NAXOS VOY 8 - PDA.pdf.lzh

  • Size

    633KB

  • Sample

    240521-fwx65aab89

  • MD5

    aa625d68a9259bd03a9447e7b71d4770

  • SHA1

    44e2d1d47af2f8a3152a68fc381a38c1ae38bdc3

  • SHA256

    eb2c2d001095f68cab6d038c61c7a55ccc3bfcca272239b7d8fe48e049ce3f30

  • SHA512

    23b36245badf96493c1b520303ef7fc05974597ac052dac4c29c02d5c3d23b076b46bf629824a3d7d1b7846c417285d800782ca67c0f2c3e6cea6ca1cc6eb15d

  • SSDEEP

    12288:4sJXSoOcluukxo2gfVQvjZMs0ShYgd0hVh4DM3Eb03iS/egl83bMCXBY:4sNQc4ukxifVIFTduVp3bN/egAMCXBY

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://beirutrest.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    9yXQ39wz(uL+

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    beirutrest.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    9yXQ39wz(uL+

Targets

    • Target

      MT. NAXOS VOY 8 - PDA.pdf.scr

    • Size

      656KB

    • MD5

      c63cebeaae6c25d95a7d3066b93ae1be

    • SHA1

      ac338a3b364333178df8acda49873ad9716a3e9b

    • SHA256

      227b52e8c9ed77b2fe6cec5e09c8898924d157034b5f7ba2bffcb2a3c3cbe949

    • SHA512

      43ee5cd986b92f5124abdf511561af6b0a054b762d268adb976aee8473abfbf23599816ed366b77af5477f78d4de4333e142e1f82cd27dace18071cbd270eb62

    • SSDEEP

      12288:XlYifTcClSW15Xkep2WThbNG0CAu6bCxSexegZo1iCTA6koWn95OyLvqj:2iVll5XTliAu6ORogYiqA6e95OyLCj

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks