General

  • Target

    rShipmentNotification_pdf.exe

  • Size

    1.2MB

  • Sample

    240911-zpal2asgnh

  • MD5

    7133ab55e31ea1b16b141a561d5c3b27

  • SHA1

    f08bf25e27b467460a5fecfa421c0555d4c88616

  • SHA256

    34686435161bf43bd4c33df68a733b72ac73c24e5cd1d8fa473a7f55c373ab70

  • SHA512

    7d54f51c80f3e3ab3a1b86176d22c49241bfa0bd24b2ec81c38ad193c4491cd46dc55aedf410c5ce5b69fc634fb92966ac6dda4353dda146ac43f9072bcb9697

  • SSDEEP

    24576:C4lavt0LkLL9IMixoEgea6RyGw86lPCEYq9MmCS:1kwkn9IMHea6RRw8u69aPCS

Malware Config

Targets

    • Target

      rShipmentNotification_pdf.exe

    • Size

      1.2MB

    • MD5

      7133ab55e31ea1b16b141a561d5c3b27

    • SHA1

      f08bf25e27b467460a5fecfa421c0555d4c88616

    • SHA256

      34686435161bf43bd4c33df68a733b72ac73c24e5cd1d8fa473a7f55c373ab70

    • SHA512

      7d54f51c80f3e3ab3a1b86176d22c49241bfa0bd24b2ec81c38ad193c4491cd46dc55aedf410c5ce5b69fc634fb92966ac6dda4353dda146ac43f9072bcb9697

    • SSDEEP

      24576:C4lavt0LkLL9IMixoEgea6RyGw86lPCEYq9MmCS:1kwkn9IMHea6RRw8u69aPCS

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks