General

  • Target

    SINAR TORAJA PARTICULARS.pdf.lzh

  • Size

    648KB

  • Sample

    240522-mcptzabg2s

  • MD5

    f55f072e46ed3a7024bbd6ca7647180d

  • SHA1

    b9d4565cda0f16da5fe832d629db4025138bb344

  • SHA256

    1591ffe3bb29a63867e15e764d054093e8e981a0551a0d63aa8079f4a3b2c971

  • SHA512

    df89ee7f56c27dae2ea4d1097ad682f62e9fc96d57c32fbba3783dbd740a6f8f400b15966d769f7e633abc8a76bb8d9f6a435866a3ff1561a73304cf0af28ce8

  • SSDEEP

    12288:DSlD/CCB0BOO+rGbedHJnIyRw4+SHUpiQyXimYS/BjLXe:DSxNdO+raenIyu4dU0QEimZBjje

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://beirutrest.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    9yXQ39wz(uL+

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    beirutrest.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    9yXQ39wz(uL+

Targets

    • Target

      SINAR TORAJA PARTICULARS.pdf.scr

    • Size

      670KB

    • MD5

      c5a0ba17188d0ecf5f6952841b5228d3

    • SHA1

      a56118c862235208b608b88c6da4a925d6e0ff3a

    • SHA256

      17eeb291958feacdd246e605d777ce98fc9be320fd378283ac2764f1bc3b4c25

    • SHA512

      884853fa3170151fdac122e9e3536a1cbd48cda2a9de7325ac80f3d8d501d9846736384e62047ac1e1b0b8cc74be26356bcc05639219929d751f563137f30d87

    • SSDEEP

      12288:4D67tMcRHg4tHiYOH3KvXRM80k8Zv+JaqSIKXOF+ZHYCccwJ68QnGh:FMcR9HyX+BM80kQEaLpOF+tYCVnn

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks