General

  • Target

    65e8917946a978a0b09b14d4177fa4e6e71ded6bd48ab91414fa81a1e2a519b7.xlsx

  • Size

    725KB

  • Sample

    240618-vp8rlswhkr

  • MD5

    16e546a8202702091739c35484ba1cd3

  • SHA1

    8220a7fc4abe77109b3eb80ae7211997603287d3

  • SHA256

    65e8917946a978a0b09b14d4177fa4e6e71ded6bd48ab91414fa81a1e2a519b7

  • SHA512

    4711f24a6857f59a6f5643ce3043d85377a8c4645503751f7ebd3e5b690d0528a502e39bcfdc28cfa6214ea8eb09fd12b7ee6bad14d74343cf263ad22f92685d

  • SSDEEP

    12288:QhrnWHeTDAsDm6Kglg8MBJfjrQP9HYh5o2CtpB/vr+fRsNEYKDof6T5dORZDxTn/:srxCDwRMBljcP94h5o247vr+JsNEYYTU

Malware Config

Targets

    • Target

      65e8917946a978a0b09b14d4177fa4e6e71ded6bd48ab91414fa81a1e2a519b7.xlsx

    • Size

      725KB

    • MD5

      16e546a8202702091739c35484ba1cd3

    • SHA1

      8220a7fc4abe77109b3eb80ae7211997603287d3

    • SHA256

      65e8917946a978a0b09b14d4177fa4e6e71ded6bd48ab91414fa81a1e2a519b7

    • SHA512

      4711f24a6857f59a6f5643ce3043d85377a8c4645503751f7ebd3e5b690d0528a502e39bcfdc28cfa6214ea8eb09fd12b7ee6bad14d74343cf263ad22f92685d

    • SSDEEP

      12288:QhrnWHeTDAsDm6Kglg8MBJfjrQP9HYh5o2CtpB/vr+fRsNEYKDof6T5dORZDxTn/:srxCDwRMBljcP94h5o247vr+JsNEYYTU

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks