General

  • Target

    Description CALIPSO dd 26.03.2024.doc.lzh

  • Size

    671KB

  • Sample

    240603-malpjaba6s

  • MD5

    8ca580921d7548d4a269d531eb6662b5

  • SHA1

    00bfd0f1ade33416cf8a698ecce28212b78512af

  • SHA256

    5a9c5ed46fc46eeb7a5a425d17825ff2e36334e4fd94917768298b0327aaf1a8

  • SHA512

    d56048c47a937dc87e7b6819b123e50090610a8fa54f3fddbc0547f992349470af6d07b14387f144efafe3f9ea41fe84ac7b5e21cca4473d1bd2cf740ee79ad5

  • SSDEEP

    12288:AkxgpXMitb5KoAxCBxVu62gpG3SlixhlfDHKIRek806Y7YJsTO:AkuBUxC9+lWdHpY7LK

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://beirutrest.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    9yXQ39wz(uL+

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    beirutrest.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    9yXQ39wz(uL+

Targets

    • Target

      Description CALIPSO dd 26.03.2024.doc.scr

    • Size

      843KB

    • MD5

      6e075d09953e877c0ca9a98ac749dff2

    • SHA1

      a3dc16d79e5487c622c30545a47ac504573e9ea8

    • SHA256

      50ef75bd66c4bb9ce6001a41b53c0925e98eaed9b94b7125543ffecc0d4ace82

    • SHA512

      67bb4c0e98751650b4d170dc30d110c035b4115952fda1b725ff73290675d712b9947e79f7f424df2b2e9a40d9bddbbe33bbc1147552c99ee0c0da8cc3a0d550

    • SSDEEP

      24576:3MYeLSN5iFoayUfVtUv6LPg/Vv82DFF4:3MYeGN5iFZyMNzg/2wFF4

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks