General

  • Target

    JS ONSAN-VESSEL_DETAILS(1)(1).xlsx.lzh

  • Size

    672KB

  • Sample

    240603-k62phshh2v

  • MD5

    8067557ae9e080d582021a7ad426ca11

  • SHA1

    d696f06285161f24cc2f56c4693fd0e72ef91327

  • SHA256

    ab154953bf25d3b4bfa47032114aa3012a67d38d08c7fefe6916552120071d7f

  • SHA512

    d88190f3667c398c5e6dc03078507b48ba7d03a23096b0cba4cd8db9cde707cd5793ef0d8949e5924d0bb565b6acf21a51dc54f01fcd1de1bbfa6d9c2b09c1e1

  • SSDEEP

    12288:GQsNSbOlsxRazYdLUDHIg2t2gRg96t7FArDE61ie1QETNin0lVNgR:GQssfz7L4It2m8DE617FS0buR

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://beirutrest.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    9yXQ39wz(uL+

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    beirutrest.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    9yXQ39wz(uL+

Targets

    • Target

      JS ONSAN-VESSEL_DETAILS(1)(1).xlsx.scr

    • Size

      844KB

    • MD5

      d1473af035ad29a5106b6e0c86136c62

    • SHA1

      d8aa3f840097d53cb03d35020e1ec904aa779b6c

    • SHA256

      09e3dca360715fc66070377bbf9ac07c8af08b6f5bc11a8e9de381368b21a32d

    • SHA512

      ab1c50459147d77ab5359d1899d7107c698e712cc6e6cd6371236a4a59ad04d755c563e8d58e9ef3e92ebbb7b575da798af1c2e16becb6040e141d7503820ed9

    • SSDEEP

      24576:JMYeNVDN5i/7oYEADXg/7w6y5frNhSXiRIVqf:JMYePN5i/7vEWwjwNfrrSXwIVq

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks