General

  • Target

    25092024051122092024INQUIRYS46789SEP24MAT.cab

  • Size

    951KB

  • Sample

    240925-jfa87sshqn

  • MD5

    a6e5f46051bfa8ef90268321b03aee86

  • SHA1

    04244e8b703928ef62c0beb7207b89fe4fe02240

  • SHA256

    a05ce1f38d2250cbab37851ba53120058ce06fa97cdaf961f4d9814de066cb32

  • SHA512

    0323a9bd357a366428782175baa7b6a14bbfbd1dc3639cd2fab843c11262c3113343c4599108a3b6bf0b3f7bfb32f6b54e6c56e58c56509dfdf52f6b43acb911

  • SSDEEP

    24576:7UB2l5IV11+UlLjhnRe+kxGZD7zQGC1lEHrQtTVP/zYd7i+N:tS11vdReei1WsX/ze7iE

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.zoho.eu
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    office12#

Targets

    • Target

      INQUIRYS#46789-SEP24MAT.exe

    • Size

      1.2MB

    • MD5

      07ccbec18681f1d2e98c33a62bdf89d6

    • SHA1

      391dd53228844ce76c1fe9ee8ec1d9c40731d2ce

    • SHA256

      9c08d64bbe7619affdc3842f4cbfa2f2d7e06d08aec3d01c0558ba133129c3d7

    • SHA512

      2309703110314b4d1e03d0f70ba91feedf0ca11893b11853f1a62cfe439f0cb8b2b13d06b980efac267e7d6f249ab84722375215e6ecb97cab0e4d006ec5ff34

    • SSDEEP

      24576:fRmJkcoQricOIQxiZY1ia3+ekxiX/7z2Gw1lODrQvTVZ/zAd7iy7:0JZoQrbTFZY1ia3+4K1k4z/zE7iG

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks