General
-
Target
090008000000000000.exe
-
Size
1.2MB
-
Sample
210120-n24lkzsqnx
-
MD5
4c7fe9c4af3c08960d1490c0ba409694
-
SHA1
67b090a0aab7e6452d4fba12f2d625e276402096
-
SHA256
614f64c6f6fb4e6a6bdb91333773972139b112937bff6a22e19c9a5d283b8097
-
SHA512
a5d70d3958b0979f39d2417cdfb26de1aac81482d48151310fa8cf99ad0d7ddeb83f1812ac611debd7ee052adb7bd109d5828e09a2fd765be2dbf5e35a3889a6
Static task
static1
Behavioral task
behavioral1
Sample
090008000000000000.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
090008000000000000.exe
Resource
win10v20201028
Malware Config
Extracted
Protocol: smtp- Host:
srvc13.turhost.com - Port:
587 - Username:
info@bilgitekdagitim.com - Password:
italik2015
Extracted
agenttesla
Protocol: smtp- Host:
srvc13.turhost.com - Port:
587 - Username:
info@bilgitekdagitim.com - Password:
italik2015
Extracted
snakekeylogger
Protocol: smtp- Host:
srvc13.turhost.com - Port:
587 - Username:
info@bilgitekdagitim.com - Password:
italik2015
Extracted
matiex
Protocol: smtp- Host:
srvc13.turhost.com - Port:
587 - Username:
info@bilgitekdagitim.com - Password:
italik2015
Targets
-
-
Target
090008000000000000.exe
-
Size
1.2MB
-
MD5
4c7fe9c4af3c08960d1490c0ba409694
-
SHA1
67b090a0aab7e6452d4fba12f2d625e276402096
-
SHA256
614f64c6f6fb4e6a6bdb91333773972139b112937bff6a22e19c9a5d283b8097
-
SHA512
a5d70d3958b0979f39d2417cdfb26de1aac81482d48151310fa8cf99ad0d7ddeb83f1812ac611debd7ee052adb7bd109d5828e09a2fd765be2dbf5e35a3889a6
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Matiex Main Payload
-
Snake Keylogger Payload
-
AgentTesla Payload
-
Executes dropped EXE
-
Drops startup file
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-