General

  • Target

    MVGUO QIANG 8-PSGSIN082096.xls.lzh

  • Size

    626KB

  • Sample

    240523-fsw5naeg42

  • MD5

    c8a307e64174155b73e38862932e133b

  • SHA1

    52acb94a225b9641674d96501e05614bb32f5e1a

  • SHA256

    7c10b178cee543927b900ceb7f27a96dbd96172254fe659ce22d2e2b024e5c4d

  • SHA512

    80e3bad52c7fe2a04d5e1c62a81d1a4d56f59fb4195bdf7e0ac40bbace62b3d4afaa205aca59c0cd62a94e64209473e0882f03e416814ec73d58f87d9562906b

  • SSDEEP

    12288:oQPXzTuNcSifbRJN/gXPZKfpi0So4LDaumh1FECZhNUFAf2sEN3wM62ZuT0nl:HeNs71UPArp4Xmh1FECiihEN3Pugl

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://beirutrest.com
  • Port:
    21
  • Username:
    belogs@beirutrest.com
  • Password:
    9yXQ39wz(uL+

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    beirutrest.com
  • Port:
    21
  • Username:
    belogs@beirutrest.com
  • Password:
    9yXQ39wz(uL+

Targets

    • Target

      MVGUO QIANG 8-PSGSIN082096.xls.scr

    • Size

      886KB

    • MD5

      deffa6528aa8ecf6e6f581ee41953497

    • SHA1

      acabd0b4f33c676e5152dacd0797a06c23bb98a4

    • SHA256

      bf5514d335e4930fc83a96c80379f37a04c3d7db5ce541de244f0a6dc0116a29

    • SHA512

      182b82c793b55b8737edd81a66f854b965d116e964c62de5b0b3b594774037aa99f8a21adc42cb1ff63e157c5a7bc44b799b28425acba63d7ff3454ac8546b3b

    • SSDEEP

      12288:/8vNAZt4fQ+foATEJyFkUtbrAllCHEhEFcu2WAPy:/8lkt4fzfhtkNfCoEuu2z

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Credential Access

Unsecured Credentials

4
T1552

Credentials In Files

3
T1552.001

Credentials in Registry

1
T1552.002

Collection

Data from Local System

4
T1005

Tasks