General

  • Target

    MV OKTEM AKSOY BALTIC QUESTIONARY.pdf.lzh

  • Size

    612KB

  • Sample

    240625-ke5bbsyfrd

  • MD5

    813dbb5e14f01a78096c8519d643eed7

  • SHA1

    b6094d9c434ecd534abaeb977c773f5a1e20e36e

  • SHA256

    cb6bee68112252d39a6485d5bc3fbcb42d05e6dea374653762558faa5d3d5eab

  • SHA512

    2522e09a59ee447d840ef21c2ae56f9ae248a9a1a8578097376e93f75aa7d79679657999ced651610ee4e4e7ba0aee419580dede35d833f8181f1181571fee1d

  • SSDEEP

    12288:/XLuN0O9FRMz4QK/6isVfwMOxBaH/lp5h2OMet2RNDPZ1pK+xnC3RRjgSxPjFBgm:vqBRMzFc6isSMDH3D2OWrZdxC3RRjgSp

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://beirutrest.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    9yXQ39wz(uL+

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    beirutrest.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    9yXQ39wz(uL+

Targets

    • Target

      MV OKTEM AKSOY BALTIC QUESTIONARY.pdf.scr

    • Size

      659KB

    • MD5

      94229cfdcc9bc894bf133d544de04277

    • SHA1

      41308be585e74765f2f4e5acf1efd8665b6c2bd8

    • SHA256

      b605c4eaa917dcea421342a1414949dd7a06449d437e85df123e412dcd4fa6fe

    • SHA512

      80e7402ab4ab37b860744fd991489e9bee599399a090c4c419bb2454204e126103fa990e6927d469b1ec9369eb414c1447287bf82679749df4c99f0501411d88

    • SSDEEP

      12288:HOcwtNMG1vvATlPexwIk8HHSmFKyyw5AX6WzTIanMa:uaGYoIAHjF19Co

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks