General

  • Target

    PO Invoice XJ210821Q.PDF.7z.zip

  • Size

    608KB

  • Sample

    240925-g3rhlazcnp

  • MD5

    0115c5c629a1b520162b945010feace6

  • SHA1

    2dcd9c63f6c056b4d562c1af36fd827d08421e14

  • SHA256

    2916023a634aa57933f9bc8efe3e51e2da70bd0fecb2f8565dece272535a6de8

  • SHA512

    cbfbbde330747e85e18f5e8d7678dd27256476104b22265696b4b615d8c93e1a777a334864c53919fba98c958a916e1d83645de83fbe80e65db7399053d9ed2d

  • SSDEEP

    12288:PcVd06cOKnEOSmgBZp9TWuWeld2Qqo0JGLhuOBefXKmisQ4r:s0zSmgBld2Qq1GLhuOEfXNh

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.libreriagandhi.cl
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    x6p2^m#1#~+O

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.libreriagandhi.cl
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    x6p2^m#1#~+O

Targets

    • Target

      PO Invoice XJ210821Q.PDF.exe

    • Size

      664KB

    • MD5

      ec1d27d0c50590f58a3d43b8b979e4dc

    • SHA1

      bb6768eec71bd66c50a94b21cdd059994dc264b3

    • SHA256

      c17e06753e71aa66826658cc44f2e620b39d0e52b26d7dc5747ad5966f0ae0a3

    • SHA512

      2bf4090a6bc11e8a5b2055752a51d008aedd7f4dc3483282194b9666f19840ababa805aa18dfccf6d994d46ddf4503e5abed7201556b6388d38af93e6c890aa1

    • SSDEEP

      12288:LhdPAcO4nEOS405ZbvTAuWelX2QqycJGD7uoj6C/e8bQbGsxykR:LvlS405PX2QqRGD7u/ClIGoB

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks