General

  • Target

    SAPPHO (Q88).PDF.lzh

  • Size

    672KB

  • Sample

    240603-k1e9bsba24

  • MD5

    8071977e92f56b70709713d6a35653a8

  • SHA1

    08129359fb773c3535b6c2ca9ad44c4d24bb2354

  • SHA256

    a3b8c1cc4dc18239ca6a387d10109d5b40014e033b3ac66b238d093a85b358d4

  • SHA512

    d3800adfa396fbd0281f17ea484b02874548bc0f3d39870bb3239c5a1a888fa9d0da2498edb26f794ca1a76baeb8535e9e40e8073d47f7cdce3c84677349d48d

  • SSDEEP

    12288:QQsNSbOlsxRazYdLUDHIg2t2gRg96t7FArDE61ie1QETNin0lVNgR:QQssfz7L4It2m8DE617FS0buR

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://beirutrest.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    9yXQ39wz(uL+

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    beirutrest.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    9yXQ39wz(uL+

Targets

    • Target

      SAPPHO (Q88).PDF.scr

    • Size

      844KB

    • MD5

      d1473af035ad29a5106b6e0c86136c62

    • SHA1

      d8aa3f840097d53cb03d35020e1ec904aa779b6c

    • SHA256

      09e3dca360715fc66070377bbf9ac07c8af08b6f5bc11a8e9de381368b21a32d

    • SHA512

      ab1c50459147d77ab5359d1899d7107c698e712cc6e6cd6371236a4a59ad04d755c563e8d58e9ef3e92ebbb7b575da798af1c2e16becb6040e141d7503820ed9

    • SSDEEP

      24576:JMYeNVDN5i/7oYEADXg/7w6y5frNhSXiRIVqf:JMYePN5i/7vEWwjwNfrrSXwIVq

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks