General

  • Target

    e6ecf390542c44da68e56315d0aa3924239c5798fdc58bf7955b0e6b6613787d.xlsx

  • Size

    726KB

  • Sample

    240612-cx45aayfrf

  • MD5

    e38bcfcd4aef15bb987399f787557582

  • SHA1

    d49c20bed98eabc5df26e5309572e2b946ca2189

  • SHA256

    e6ecf390542c44da68e56315d0aa3924239c5798fdc58bf7955b0e6b6613787d

  • SHA512

    9471ba49d1a29c8c339fe720d99b2742d90fce7840f7de34c35a3c31d6626c4652a2e62318abf7f242a90aab51bda0cf80c63c092db7f3c48c3d6aa0446de7a6

  • SSDEEP

    12288:/knWybbQuN3IQIRHksCPbuNlK4fS212xQao9bkoJhPY2hR8EMgYJ9Axtat9fJluP:cJbj4X1GPbubK43gyd9bk6XRbHk9vBJy

Malware Config

Targets

    • Target

      e6ecf390542c44da68e56315d0aa3924239c5798fdc58bf7955b0e6b6613787d.xlsx

    • Size

      726KB

    • MD5

      e38bcfcd4aef15bb987399f787557582

    • SHA1

      d49c20bed98eabc5df26e5309572e2b946ca2189

    • SHA256

      e6ecf390542c44da68e56315d0aa3924239c5798fdc58bf7955b0e6b6613787d

    • SHA512

      9471ba49d1a29c8c339fe720d99b2742d90fce7840f7de34c35a3c31d6626c4652a2e62318abf7f242a90aab51bda0cf80c63c092db7f3c48c3d6aa0446de7a6

    • SSDEEP

      12288:/knWybbQuN3IQIRHksCPbuNlK4fS212xQao9bkoJhPY2hR8EMgYJ9Axtat9fJluP:cJbj4X1GPbubK43gyd9bk6XRbHk9vBJy

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks