General

  • Target

    NEG-S16-20.xslx.lzh

  • Size

    626KB

  • Sample

    240523-dmvnjabh54

  • MD5

    4f2003d9dedabb95895f06e41f1f139d

  • SHA1

    ea54020f029142273eefefff06c952155cd51403

  • SHA256

    416157183d15aabc842eaa886a699f35bf9522296a0bdf7912e0f2bb44447c8c

  • SHA512

    8a55edc5f854b991d3068ff65df65495159a01b2a35431b5a24c65a4bafa012397a17bfa3568b57d284bdc9b53b23166f39160951f9157564d930efa6dda609f

  • SSDEEP

    12288:TQPXzTuNcSifbRJN/gXPZKfpi0So4LDaumh1FECZhNUFAf2sEN3wM62ZuT0nl:2eNs71UPArp4Xmh1FECiihEN3Pugl

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://beirutrest.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    9yXQ39wz(uL+

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    beirutrest.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    9yXQ39wz(uL+

Targets

    • Target

      NEG-S16-20.xslx.scr

    • Size

      886KB

    • MD5

      deffa6528aa8ecf6e6f581ee41953497

    • SHA1

      acabd0b4f33c676e5152dacd0797a06c23bb98a4

    • SHA256

      bf5514d335e4930fc83a96c80379f37a04c3d7db5ce541de244f0a6dc0116a29

    • SHA512

      182b82c793b55b8737edd81a66f854b965d116e964c62de5b0b3b594774037aa99f8a21adc42cb1ff63e157c5a7bc44b799b28425acba63d7ff3454ac8546b3b

    • SSDEEP

      12288:/8vNAZt4fQ+foATEJyFkUtbrAllCHEhEFcu2WAPy:/8lkt4fzfhtkNfCoEuu2z

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks