General

  • Target

    MV SEVKETTIN SONAY_VSL's DESC.DOC.lzh

  • Size

    645KB

  • Sample

    240625-smp6dazgjk

  • MD5

    2ffe5462be18f98940bc935f6fd7f81c

  • SHA1

    91bf6f80de8b69e9e06195b3a3482eefbc355e7e

  • SHA256

    44b8cbccdfd862899d4d5825e10389d7daa49fbab25d18b50c593a9a81d3d9d0

  • SHA512

    086a46854d327ddbbb30c729f317c0003916e31071b731895e1a6d6628331151ac1d1594058d583e99a9e06fa62c2e844b69c8d51338977667059783c1e3031f

  • SSDEEP

    12288:JA7NTmGY2E80cN1oZnaQuIOL/7kh29Un8SH9yjrsjhmVromQS3GIc0Do:JE9mMZoZaQuIgkh2WnTWeo0HSWIc3

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://beirutrest.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    9yXQ39wz(uL+

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    beirutrest.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    9yXQ39wz(uL+

Targets

    • Target

      MV SEVKETTIN SONAY_VSL's DESC.DOC.scr

    • Size

      717KB

    • MD5

      856076a266bf66744428123e379d6e54

    • SHA1

      88e2e194d5944b748671fefa67c61d3c48af7cf6

    • SHA256

      c09cba9da1f8a6c8fbda87ce1c29455118eb13876286388a7d768ba98585aa78

    • SHA512

      a5aeb1f440fb332eb5c8cac0ac2c2a5027984acf87c16716e5e96620fd4e379e0a07776e35c2099221ae21ad440d83ec98ca6f6bcd7bc163d6c56d91e52458da

    • SSDEEP

      12288:4cxbJytLuL+vKDrPvBMVe/CPMvLM2isPhGCMQJ46Bh7zl:4cxbJnHegVTHisJYjUhN

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks