General
-
Target
hkaP5RPCGNDVq3Z.exe
-
Size
1.6MB
-
Sample
210114-qjaqk5e61j
-
MD5
07556e1af1f43f7dd42d32d188187e4a
-
SHA1
42110c04869726694a2537e05f987039cd829ac0
-
SHA256
a6fc5cc4331ee5a9bee82b3fde7bdbce1c1dc5a89c8860b682c948f4b9acc9cd
-
SHA512
433457cb0e908bc673e952639f2df8da6991f2aed7e9c2cf98bcc677452bb8c5d92ccf8267ed7ca38227122ffcc6633bf40a39f2b1eaaf4262221e45899f094d
Static task
static1
Behavioral task
behavioral1
Sample
hkaP5RPCGNDVq3Z.exe
Resource
win7v20201028
Malware Config
Extracted
Protocol: smtp- Host:
smtp.privateemail.com - Port:
587 - Username:
sales01@seedwellresources.xyz - Password:
MARYolanmauluogwo@ever
Extracted
matiex
Protocol: smtp- Host:
smtp.privateemail.com - Port:
587 - Username:
sales01@seedwellresources.xyz - Password:
MARYolanmauluogwo@ever
Extracted
agenttesla
Protocol: smtp- Host:
smtp.privateemail.com - Port:
587 - Username:
sales01@seedwellresources.xyz - Password:
MARYolanmauluogwo@ever
Targets
-
-
Target
hkaP5RPCGNDVq3Z.exe
-
Size
1.6MB
-
MD5
07556e1af1f43f7dd42d32d188187e4a
-
SHA1
42110c04869726694a2537e05f987039cd829ac0
-
SHA256
a6fc5cc4331ee5a9bee82b3fde7bdbce1c1dc5a89c8860b682c948f4b9acc9cd
-
SHA512
433457cb0e908bc673e952639f2df8da6991f2aed7e9c2cf98bcc677452bb8c5d92ccf8267ed7ca38227122ffcc6633bf40a39f2b1eaaf4262221e45899f094d
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Matiex Main Payload
-
AgentTesla Payload
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-