General

  • Target

    hkaP5RPCGNDVq3Z.exe

  • Size

    1.6MB

  • Sample

    210114-qjaqk5e61j

  • MD5

    07556e1af1f43f7dd42d32d188187e4a

  • SHA1

    42110c04869726694a2537e05f987039cd829ac0

  • SHA256

    a6fc5cc4331ee5a9bee82b3fde7bdbce1c1dc5a89c8860b682c948f4b9acc9cd

  • SHA512

    433457cb0e908bc673e952639f2df8da6991f2aed7e9c2cf98bcc677452bb8c5d92ccf8267ed7ca38227122ffcc6633bf40a39f2b1eaaf4262221e45899f094d

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.privateemail.com
  • Port:
    587
  • Username:
    sales01@seedwellresources.xyz
  • Password:
    MARYolanmauluogwo@ever

Extracted

Family

matiex

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.privateemail.com
  • Port:
    587
  • Username:
    sales01@seedwellresources.xyz
  • Password:
    MARYolanmauluogwo@ever

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.privateemail.com
  • Port:
    587
  • Username:
    sales01@seedwellresources.xyz
  • Password:
    MARYolanmauluogwo@ever

Targets

    • Target

      hkaP5RPCGNDVq3Z.exe

    • Size

      1.6MB

    • MD5

      07556e1af1f43f7dd42d32d188187e4a

    • SHA1

      42110c04869726694a2537e05f987039cd829ac0

    • SHA256

      a6fc5cc4331ee5a9bee82b3fde7bdbce1c1dc5a89c8860b682c948f4b9acc9cd

    • SHA512

      433457cb0e908bc673e952639f2df8da6991f2aed7e9c2cf98bcc677452bb8c5d92ccf8267ed7ca38227122ffcc6633bf40a39f2b1eaaf4262221e45899f094d

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

    • Matiex

      Matiex is a keylogger and infostealer first seen in July 2020.

    • Matiex Main Payload

    • AgentTesla Payload

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Uses the VBS compiler for execution

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Scripting

1
T1064

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

System Information Discovery

1
T1082

Collection

Data from Local System

3
T1005

Tasks