General

  • Target

    YU HENG STAR.PDF.lzh

  • Size

    615KB

  • Sample

    240625-l9v7kswhnl

  • MD5

    01e22fe838dd78b08240e724cd80199c

  • SHA1

    4dd4a551b04bfa64d2482a134ff3ef5b5bba547b

  • SHA256

    7363b8e62c1b72eaa17fd0a40ad415df67a97352b3bd65a8b25d2a14bf8b0bc4

  • SHA512

    00053122375a3c4aed668b21926ad7ff44ae3be07126d0e45fef17b29a5d9438a6c2e120c4deef4070d614e91bd20ea9007067e521d50194c63817497e5fe542

  • SSDEEP

    12288:3UB491I7V3vckc2+Nr/LoGG6nQu81DMVvEZzK8+lrEGRC5rHwdl/3OUgy+9Wq:3U4uvckc2YTLoGHODwvpZnC5Mdl/gyaT

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://beirutrest.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    9yXQ39wz(uL+

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    beirutrest.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    9yXQ39wz(uL+

Targets

    • Target

      YU HENG STAR.PDF.scr

    • Size

      661KB

    • MD5

      7359f4e87c30694572e3b8114c231d3d

    • SHA1

      ec4fb04fcbae5e464795c1589c352a4c6521c452

    • SHA256

      1e8be8a54b18368f46ec0d47a0931bacb773855f49c0b444dcbff60502e71fb6

    • SHA512

      4a7425980e88a7009bf1f1b6974bd8b6e3ba7e7e880c2975282113f2aa32eeba6dc0177e0643b4dad0fca58179a3ec7473f7d8db2cd239b7d0265261c55dc354

    • SSDEEP

      12288:5a4wtNTxp+3tDwOzR8iucTfsINp7F82s8jUApCDrtRc4yNpC:A3p+NwOWiucLVp7aztAp8gn

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks