General
-
Target
MV. TBN 58 SHIP PARTICULARS.01.pdf.z
-
Size
590KB
-
Sample
240917-l6ytasxelk
-
MD5
1bf3b553056464b26ee2645c4580066f
-
SHA1
0e2a454f2516b54abe4cd0cb08aa5b51ded6637a
-
SHA256
2703f63ffb3b7a2ec6d07ddfb7eed7af46556e00043426ec051dcfa8fbc36736
-
SHA512
f1ef31d030af19f2fa671fee47f71c00e5caa04a7e1b1277e2baa5dffbecf472a348d73b58012cb09a5f4b1d86847ec2dfaea6e2189e7ee4b5466e591e78f969
-
SSDEEP
12288:A9SxMnxZXlvRM6eJ6DL72r+9+oxlQaAk/UXRLvw:As+b15M626D2r+ooP5x/Ke
Static task
static1
Behavioral task
behavioral1
Sample
MV. TBN 58 SHIP PARTICULARS.01.pdf.rar
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
MV. TBN 58 SHIP PARTICULARS.01.pdf.rar
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
MV. TBN 58 SHIP PARTICULARS.01.pdf.scr
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
MV. TBN 58 SHIP PARTICULARS.01.pdf.scr
Resource
win10v2004-20240910-en
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://beirutrest.com - Port:
21 - Username:
[email protected] - Password:
9yXQ39wz(uL+
Extracted
Protocol: ftp- Host:
beirutrest.com - Port:
21 - Username:
[email protected] - Password:
9yXQ39wz(uL+
Targets
-
-
Target
MV. TBN 58 SHIP PARTICULARS.01.pdf.z
-
Size
590KB
-
MD5
1bf3b553056464b26ee2645c4580066f
-
SHA1
0e2a454f2516b54abe4cd0cb08aa5b51ded6637a
-
SHA256
2703f63ffb3b7a2ec6d07ddfb7eed7af46556e00043426ec051dcfa8fbc36736
-
SHA512
f1ef31d030af19f2fa671fee47f71c00e5caa04a7e1b1277e2baa5dffbecf472a348d73b58012cb09a5f4b1d86847ec2dfaea6e2189e7ee4b5466e591e78f969
-
SSDEEP
12288:A9SxMnxZXlvRM6eJ6DL72r+9+oxlQaAk/UXRLvw:As+b15M626D2r+ooP5x/Ke
Score3/10 -
-
-
Target
MV. TBN 58 SHIP PARTICULARS.01.pdf.scr
-
Size
641KB
-
MD5
df65c7b5e46230cec189a0e30a8613c1
-
SHA1
fe1c0d551558a7e85d5e3bc0a08827c11adb558a
-
SHA256
45854bda114224fa6aceeff0d3f85503e5d6b4c363ba33d58be54b34f240eab2
-
SHA512
3d341c06862e4b8993919396ce411b3d911d1ea9c0082d64248ec6ca363f8d16e9091e0ab1ac49d6c4a3a3d13405d4a800ced28c9335e52a5c6b712791ef6f94
-
SSDEEP
12288:2Av4Kh36Nhhmx6ZrHfeu8RFniSf2i8Cs/8iOy1AqUkyNGQGNXH0:y2KjhmxALe3Fv+i8Cs/dEkysjk
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1