General

  • Target

    18062024_1249_New_Order_xlsx.bz2

  • Size

    28KB

  • Sample

    240618-p2hhasybqm

  • MD5

    e9297d8f85b351ca0575b4b722256631

  • SHA1

    5b879282fd4674e19e67012b6dbe42ca6c529762

  • SHA256

    31516782702f7eb5dba59fcb42c79e638f4de7a616d68a357baf8dc97c870a61

  • SHA512

    cf87bc042a5a63759375dc70dd4e979d453e490170c264a8ef1116527bab6ea1543179aaf0950ae3cfdfd554a928514835bae4eb353b6ee5621bfcc232545dc8

  • SSDEEP

    768:SEttryVpvbiH8Hz09lBo6xkRnOASt1Ms8bdN:SEttu/rzYjkGUpN

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      Order_doc_3898934784389932787823637832893278.exe

    • Size

      73KB

    • MD5

      7f9f6856748008e47c736664df0f97d4

    • SHA1

      6be6218294e24d5515e09c019656a8c0cf34100e

    • SHA256

      040a600783e2b014cd6b8163e36611d2af9a7246d70d34b9b32ab23ab4691605

    • SHA512

      fa8c2312eb905528f90e54e38e45997dcf0013ce891542bb7d1c38ed584b78aa0b1d335276271fddd2d750ae8abfbb80fcc03d90fa331c9f32cf8ecde8851cac

    • SSDEEP

      1536:RJbGquvrQcdCIdTaqc3aBMohSqdXnbCu81nFS8mO:RVGPrQWCIEqBBRhSqdXbCu81JmO

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks