General

  • Target

    ebe0db47f3d58129ded5690057c586c10adba99f5efea70eb2defd4be879d204.xlsx

  • Size

    743KB

  • Sample

    240609-nk2n6shh71

  • MD5

    0bae405b6cbbd6f2a51b6c8f3d3229d4

  • SHA1

    c883182707d44204007d65a270f4f5794dd9328b

  • SHA256

    ebe0db47f3d58129ded5690057c586c10adba99f5efea70eb2defd4be879d204

  • SHA512

    98b5371a3e3dfd61e190db23a0fe246b2b2073eaa3f13424f6690cdeed48bc04e661bf361144968b028b72bdd47f68cdab4d56a0816128aa0f27db06c24d8c0f

  • SSDEEP

    12288:k2nWqZIWl17AxZ1AibfuOXwLeLCmBeJmxZIjza2rVHIaKLdGfT3wxWv0gONA+/:R3BAxFrvIQLesDIjzEaKhiUhNL

Malware Config

Targets

    • Target

      ebe0db47f3d58129ded5690057c586c10adba99f5efea70eb2defd4be879d204.xlsx

    • Size

      743KB

    • MD5

      0bae405b6cbbd6f2a51b6c8f3d3229d4

    • SHA1

      c883182707d44204007d65a270f4f5794dd9328b

    • SHA256

      ebe0db47f3d58129ded5690057c586c10adba99f5efea70eb2defd4be879d204

    • SHA512

      98b5371a3e3dfd61e190db23a0fe246b2b2073eaa3f13424f6690cdeed48bc04e661bf361144968b028b72bdd47f68cdab4d56a0816128aa0f27db06c24d8c0f

    • SSDEEP

      12288:k2nWqZIWl17AxZ1AibfuOXwLeLCmBeJmxZIjza2rVHIaKLdGfT3wxWv0gONA+/:R3BAxFrvIQLesDIjzEaKhiUhNL

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks