General

  • Target

    c0baec4eb2deb38c2f86c250a7aae50a417652429439bb5ecce82e8bac6892ef.xlsx

  • Size

    652KB

  • Sample

    240609-lrlkeshf46

  • MD5

    d32ebf59d912022ad03be9f1a79d1622

  • SHA1

    70e185fcd828497aea47489ebd84feb70ed21983

  • SHA256

    c0baec4eb2deb38c2f86c250a7aae50a417652429439bb5ecce82e8bac6892ef

  • SHA512

    f463d70e2773a9b27c43ff24a2fdfc242e55050ba81ea5af34b9984b8aae7697ce0d38135dfefb507efc89c7ca0aba1b6be7040092dd98ce8811b9ab5bb474a5

  • SSDEEP

    12288:eOnWEibaQbA8GS3zY4uKhbO6ZvRM98HaN6N2hN1JAQYVu5RGE41Gw57bhRw:5vQlcfKhrZvRZa42hNKuHGES/O

Malware Config

Targets

    • Target

      c0baec4eb2deb38c2f86c250a7aae50a417652429439bb5ecce82e8bac6892ef.xlsx

    • Size

      652KB

    • MD5

      d32ebf59d912022ad03be9f1a79d1622

    • SHA1

      70e185fcd828497aea47489ebd84feb70ed21983

    • SHA256

      c0baec4eb2deb38c2f86c250a7aae50a417652429439bb5ecce82e8bac6892ef

    • SHA512

      f463d70e2773a9b27c43ff24a2fdfc242e55050ba81ea5af34b9984b8aae7697ce0d38135dfefb507efc89c7ca0aba1b6be7040092dd98ce8811b9ab5bb474a5

    • SSDEEP

      12288:eOnWEibaQbA8GS3zY4uKhbO6ZvRM98HaN6N2hN1JAQYVu5RGE41Gw57bhRw:5vQlcfKhrZvRZa42hNKuHGES/O

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks