General
-
Target
CMA-Inquiry DA39-RFQ-Urgent order-07820.exe
-
Size
952KB
-
Sample
200709-mrw6zw6v7n
-
MD5
7e8eedd86f24f4e63ed26ff677162e75
-
SHA1
e9a7b4c02a2f2916a3604a417af65260e33436a4
-
SHA256
bb44a88339e83bc2ecbd06edef1acf6c54e66c4c4922005a67c27f970f717075
-
SHA512
f16624dd72c63bb944d45c25c80a6ed6d8400e994e852db3879602b3107dd3e09dd7d1c5c893598f0d64f15bd98828bc7e67a48ee91943e833e13324d0d016c3
Static task
static1
Behavioral task
behavioral1
Sample
CMA-Inquiry DA39-RFQ-Urgent order-07820.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
CMA-Inquiry DA39-RFQ-Urgent order-07820.exe
Resource
win10
Malware Config
Extracted
formbook
http://www.mansiobok2.info/ns424/
loginaccount-secure.com
roadside-web.com
lovelydays.info
mariotime.com
toursmundialrusia.com
confidentbeauty.tips
duongtinhot24h.com
wcw.info
rabatte.click
xn--2nyy10g.biz
botuzm.net
galebplast.com
mahony-diet.com
3ctoken.com
mantispeed.com
withyou-cm.com
rightwebmarketing.com
pksbarandgrill.net
systemscan12.top
velinablog.com
16qdd.com
opebet668.com
sonialafountain.com
alamonda.net
fujianchangyuan.com
gorillathreads.com
productossaludnaturales.com
53sbh.com
ttwpiv.info
datenschutz-24-7.online
hawaiiwoodsource.com
yilongjiancai.com
portasolvacationrentals.com
eaglevogue.com
internetking.ink
e-golden-boy.com
zan-c.com
nmnedconsulting.com
mollybphoto.com
ybvip222.com
mijindou2019.com
abcshop.biz
promtiobooking.com
kcsmqd.com
angelalevelsup.com
lux-dl.com
edit-live.com
top10asiancasino.com
yixinpuze.com
girlbossevents.net
autohaker.com
advancedappliancerepairsva.com
costcocanadaliguor.com
donateoneeight.net
primeals.com
elementarycap.com
bakingandcookingandmore.com
maralexhealthservices.com
daniellcreation.com
bricsfintech.com
nazifsevim.com
lx-w.com
office421.com
1123ll.com
Targets
-
-
Target
CMA-Inquiry DA39-RFQ-Urgent order-07820.exe
-
Size
952KB
-
MD5
7e8eedd86f24f4e63ed26ff677162e75
-
SHA1
e9a7b4c02a2f2916a3604a417af65260e33436a4
-
SHA256
bb44a88339e83bc2ecbd06edef1acf6c54e66c4c4922005a67c27f970f717075
-
SHA512
f16624dd72c63bb944d45c25c80a6ed6d8400e994e852db3879602b3107dd3e09dd7d1c5c893598f0d64f15bd98828bc7e67a48ee91943e833e13324d0d016c3
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Formbook Payload
-
Executes dropped EXE
-
Deletes itself
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext
-