General

  • Target

    19215023198d9ebe4a626113cc6c001bd4d250ebea69aa25afd483aefd4c0984.xlsx

  • Size

    653KB

  • Sample

    240609-lcczqsgf3y

  • MD5

    ddfba93d516fe962fc785056189afea7

  • SHA1

    65197b03ded95c0664179c1f28637d5799ece267

  • SHA256

    19215023198d9ebe4a626113cc6c001bd4d250ebea69aa25afd483aefd4c0984

  • SHA512

    4954799467218948b955697827b98d7b9681b1608bc2472c57fa4c218a6d9f38491b7df10f60e66a69c699c8352d6a0392d059114c0c2be59e6fc254fa1e8b62

  • SSDEEP

    12288:NLnWI4DNnXcSKJ/icWmLyzuCuMeOFC0180gzLuh1Y+5NIj6nSuP3T1sHOGJ65e:F0DNXcX0cWm+zLFWdLcK+TDx3pZs

Malware Config

Targets

    • Target

      19215023198d9ebe4a626113cc6c001bd4d250ebea69aa25afd483aefd4c0984.xlsx

    • Size

      653KB

    • MD5

      ddfba93d516fe962fc785056189afea7

    • SHA1

      65197b03ded95c0664179c1f28637d5799ece267

    • SHA256

      19215023198d9ebe4a626113cc6c001bd4d250ebea69aa25afd483aefd4c0984

    • SHA512

      4954799467218948b955697827b98d7b9681b1608bc2472c57fa4c218a6d9f38491b7df10f60e66a69c699c8352d6a0392d059114c0c2be59e6fc254fa1e8b62

    • SSDEEP

      12288:NLnWI4DNnXcSKJ/icWmLyzuCuMeOFC0180gzLuh1Y+5NIj6nSuP3T1sHOGJ65e:F0DNXcX0cWm+zLFWdLcK+TDx3pZs

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks