General

  • Target

    Paraskevi Lisa _Ship-Particulars.pdf.lzh

  • Size

    773KB

  • Sample

    240521-stzndsad9w

  • MD5

    3d78992311b65f1f2d7ab5e128a16f2f

  • SHA1

    bf873ba4e23cdadd09a1296bdb20f774b00cdb63

  • SHA256

    1a439c0c2fd8af553b956b85987445c962d225fa8f5598244be82a13d0b56829

  • SHA512

    d86a9a2958068989c9c676a9ae78ac672d8fe36c672b01fe01ac206f9cfe2adbede72fabba022e1ceadc71c68abaf85182b481af0169ba2701d2cfe233abd9fb

  • SSDEEP

    24576:Ejy9mPVGIJssMcEVnqyCG0XhlnwvTuJNdEuiHQ:EumVgscEyCGQIul8Q

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://beirutrest.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    9yXQ39wz(uL+

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    beirutrest.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    9yXQ39wz(uL+

Targets

    • Target

      Paraskevi Lisa _Ship-Particulars.pdf.scr

    • Size

      832KB

    • MD5

      6f3669432b7c19215721c83a2ac6e657

    • SHA1

      b892abe515c7679b15395187009e4f0438cf8aa3

    • SHA256

      3460355ed7f15c26f882ae59f5d4bf95ce3b6cc3527bc6b64ecbfd86e139956e

    • SHA512

      d0f85480484958e5c41f842e81c27abaf0bcf2930c283cc83aca46a63393000f39dcdcb1390e651353c8310f95f262c6792e2fd6c797589b2cd006e13cad6825

    • SSDEEP

      12288:N0x504bFtx504bFWx+Fy/c/Lr/kKJD14HYLSPr1XtJv2ZUtliSjURn37Z:Kw4bjw4b7BnkTHYLkDv2ZUtlia87

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks