General

  • Target

    Shipping Documents PO88900.zip

  • Size

    267KB

  • Sample

    240612-b28slaxhqp

  • MD5

    cd67c7f6717c288091596578983b6239

  • SHA1

    f6d99fa7f46ed6811161949746ef0299e2b3c263

  • SHA256

    002a502092b22bd781f7f89f7016c2674e52a10625c9df7e7300977262356674

  • SHA512

    8b56862d5681aa7416a30ed7854d998eb6a2e3b7d0cb3fa5d3ba9673fd618cbbc17068b8f875a72482d4b4430417826bf179dbf42455c0f60bfa96bd485c1d72

  • SSDEEP

    6144:/fr83iHBSdGjCMaMO6S/13winkAqoGg3cZlbIxgdL9V80cSmMPA:/wyH5GMaMfSdPkAtGnl9dL9E

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://s4.serv00.com
  • Port:
    21
  • Username:
    f2241_dol
  • Password:
    Doll900#@

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    s4.serv00.com
  • Port:
    21
  • Username:
    f2241_dol
  • Password:
    Doll900#@

Targets

    • Target

      Shipping Documents PO88900/Shipping Documents PO88900.xlsx.exe

    • Size

      390KB

    • MD5

      9ad1097ef6d23a86d4b9327e54fdc9bc

    • SHA1

      517d09c1d755f08f3c5bf073d87185a801b68907

    • SHA256

      df9e1f7fa8d1badaa7afd42cc3aac4ef5aad3a9973ee71059599325284566e67

    • SHA512

      1ea9293a6931e191b1c63537fc5ea003e8ae98d53242a711769052bf9ba1976def2bb5f7894f85a0da087c0a4354a68474268da77d8438cfbb0a04299df7c955

    • SSDEEP

      6144:nG8/Pl5W2KYbjOrq1NijSchoiEC8IjhJwJpNhCF5qGI3f2nwf0F4eQhrt/bcnAI:n2rgijP7EHEsvNhC7IfBbhrt4T

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks