General

  • Target

    HORAE - PARTICULARS (0)(0).PDF.lzh

  • Size

    655KB

  • Sample

    240612-fdl15s1dpf

  • MD5

    9203ccb64b84b70dcca636970bd41218

  • SHA1

    7d761a3eb30d5cdb0266af2cb929cc6e0e44a4e2

  • SHA256

    0c8b44aa35e6438a0911ca225c587d58d15df669bee027dde8bdb514bd57f39b

  • SHA512

    686918b95828287cd04610bf33d985a84dfd049dfc7aa4027f9051fadf3cc7c9d7733697ef17db7ab62d4077ec2da9526494a90e4dbb377f4a58eb60eabff4d1

  • SSDEEP

    12288:sKzgxX1q91MzuC4Yoxo5U7mI6gHNOr7AM8aS6LRV0XX/osnvJ8:sKzgxY1fCloZHNML3LROQn

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://beirutrest.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    9yXQ39wz(uL+

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    beirutrest.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    9yXQ39wz(uL+

Targets

    • Target

      HORAE - PARTICULARS (0)(0).PDF.scr

    • Size

      676KB

    • MD5

      11fc68bb6dd5ab9c2c09d7e2a948c517

    • SHA1

      895cc048a0e68e313b1c86f201af51973aad0ab1

    • SHA256

      c439d590023f8a1aac0da090ccc0d54a51d0976a451bd3852088c753a3bf920e

    • SHA512

      fff6b8f41daaf0259957630ca411b3b246ba8816b984b7f14d1c3e2a601fb4c5dad2368534576c49318ea6baf46efe5fa64fb2169c391f090f8109f875cd0af1

    • SSDEEP

      12288:JgR2iNStcY+JeVUdzKB+4FaEiHMKiMZnpDsxsWnC/7lQiqK3LiqWxMc:JgR1McROWzkFajHqCpJWCiKbiqWq

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks