General

  • Target

    dfe0e6b11dab62c713e379c0455b008c50e539eb175b3e60871ecbf8fe81b169.xlsx

  • Size

    14KB

  • Sample

    240523-q13mhsdd23

  • MD5

    3d44b278e13e6d979280c8efa3d9719d

  • SHA1

    ed7e50f888ff7b231be601dcd03f8165f671b674

  • SHA256

    dfe0e6b11dab62c713e379c0455b008c50e539eb175b3e60871ecbf8fe81b169

  • SHA512

    f272a9c7bbd748526cb75ffc1e52c7481f47558f10ce2a5c5677e1aa7154038b01288a32a156cfe7b64f508800c4ae39b8f35202dd741bd4dcbba5b88548619c

  • SSDEEP

    384:24rYeXIZwO3vs73sXKa+fDF8tcazB9o53:VrXIXaUCDCcato

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      dfe0e6b11dab62c713e379c0455b008c50e539eb175b3e60871ecbf8fe81b169.xlsx

    • Size

      14KB

    • MD5

      3d44b278e13e6d979280c8efa3d9719d

    • SHA1

      ed7e50f888ff7b231be601dcd03f8165f671b674

    • SHA256

      dfe0e6b11dab62c713e379c0455b008c50e539eb175b3e60871ecbf8fe81b169

    • SHA512

      f272a9c7bbd748526cb75ffc1e52c7481f47558f10ce2a5c5677e1aa7154038b01288a32a156cfe7b64f508800c4ae39b8f35202dd741bd4dcbba5b88548619c

    • SSDEEP

      384:24rYeXIZwO3vs73sXKa+fDF8tcazB9o53:VrXIXaUCDCcato

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks