General

  • Target

    FEDNAV SMX TBN PARTICULARS.pdf.lzh

  • Size

    672KB

  • Sample

    240603-ljyj1sac21

  • MD5

    1e405b317b0c141ab8240fb52c8e3f12

  • SHA1

    cc461f65431434e72780a6e3db68414480bcd50f

  • SHA256

    ee9593b6472c1b07a9442e7a36e45ec427414f883c91881456191a4668607786

  • SHA512

    ac3a3f1a9bf7580ebf909351999cb77d770ee5f786e30b3088a2af56eae89708e0fd65bdd276ba0cb27b5865bfd1037b5cf07bea9e3fb268a936af9ce1e3e6be

  • SSDEEP

    12288:AQsNSbOlsxRazYdLUDHIg2t2gRg96t7FArDE61ie1QETNin0lVNgR:AQssfz7L4It2m8DE617FS0buR

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://beirutrest.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    9yXQ39wz(uL+

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    beirutrest.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    9yXQ39wz(uL+

Targets

    • Target

      FEDNAV SMX TBN PARTICULARS.pdf.scr

    • Size

      844KB

    • MD5

      d1473af035ad29a5106b6e0c86136c62

    • SHA1

      d8aa3f840097d53cb03d35020e1ec904aa779b6c

    • SHA256

      09e3dca360715fc66070377bbf9ac07c8af08b6f5bc11a8e9de381368b21a32d

    • SHA512

      ab1c50459147d77ab5359d1899d7107c698e712cc6e6cd6371236a4a59ad04d755c563e8d58e9ef3e92ebbb7b575da798af1c2e16becb6040e141d7503820ed9

    • SSDEEP

      24576:JMYeNVDN5i/7oYEADXg/7w6y5frNhSXiRIVqf:JMYePN5i/7vEWwjwNfrrSXwIVq

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks