Overview
overview
10Static
static
8122de0842b...0d.exe
windows7_x64
6122de0842b...0d.exe
windows10_x64
621837bd6a7...27.exe
windows7_x64
1021837bd6a7...27.exe
windows10_x64
1030131519d2...fc.exe
windows7_x64
130131519d2...fc.exe
windows10_x64
53be39aebff...7a.exe
windows7_x64
83be39aebff...7a.exe
windows10_x64
85514456013...b8.exe
windows7_x64
105514456013...b8.exe
windows10_x64
1061d44476de...3e.exe
windows7_x64
961d44476de...3e.exe
windows10_x64
96ee50d84fd...c3.exe
windows7_x64
86ee50d84fd...c3.exe
windows10_x64
882c04fda59...b5.exe
windows7_x64
182c04fda59...b5.exe
windows10_x64
1a101cc8e9f...75.exe
windows7_x64
8a101cc8e9f...75.exe
windows10_x64
8b5674726f7...b0.exe
windows7_x64
6b5674726f7...b0.exe
windows10_x64
8c939f36967...08.exe
windows7_x64
8c939f36967...08.exe
windows10_x64
8de36168cfc...49.exe
windows7_x64
10de36168cfc...49.exe
windows10_x64
10eb9775066c...4d.exe
windows7_x64
10eb9775066c...4d.exe
windows10_x64
10General
-
Target
Local Virus Copies.zip
-
Size
13.6MB
-
Sample
210126-8kenvtwef2
-
MD5
cc0c7dd67b318f50314664d227e1c071
-
SHA1
afd99154fee47d24decc2fc2f96d8e7c4aa57edd
-
SHA256
4a9006cf3b6e40360af21fbc2c9c419a58212f9fc06cb2a534240790a2e6dbac
-
SHA512
e9081fdec088c95f4989984497b809ab40c82f8e73ff73ff8b9ae5d225271fa7f69d68e8786443b88dca3912e0ec782b3d627fb9b391b95c63638899ac8daa6f
Behavioral task
behavioral1
Sample
122de0842b4df547c9bddfb0b594a1b8f8b55da501c6f35b038153981cf1870d.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
122de0842b4df547c9bddfb0b594a1b8f8b55da501c6f35b038153981cf1870d.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
21837bd6a795e92f326fe1a26523411408c5e8ad38054353c55ffc514e72b927.exe
Resource
win7v20201028
Behavioral task
behavioral4
Sample
21837bd6a795e92f326fe1a26523411408c5e8ad38054353c55ffc514e72b927.exe
Resource
win10v20201028
Behavioral task
behavioral5
Sample
30131519d29744c302b7cc68898c5238358a75a0c01d398b3df894896620cbfc.exe
Resource
win7v20201028
Behavioral task
behavioral6
Sample
30131519d29744c302b7cc68898c5238358a75a0c01d398b3df894896620cbfc.exe
Resource
win10v20201028
Behavioral task
behavioral7
Sample
3be39aebffed61e79f7bd2405d3e2722a1cf388a820b819ff76c1c1a132fd37a.exe
Resource
win7v20201028
Behavioral task
behavioral8
Sample
3be39aebffed61e79f7bd2405d3e2722a1cf388a820b819ff76c1c1a132fd37a.exe
Resource
win10v20201028
Behavioral task
behavioral9
Sample
5514456013c5492e1f41e7a6a59cba1bdc6d1555c5b169992aba575cb34cb0b8.exe
Resource
win7v20201028
Behavioral task
behavioral10
Sample
5514456013c5492e1f41e7a6a59cba1bdc6d1555c5b169992aba575cb34cb0b8.exe
Resource
win10v20201028
Behavioral task
behavioral11
Sample
61d44476deb3368a54bb936e56a7aadb9226e78b88f67f939ed1cf0932f3263e.exe
Resource
win7v20201028
Behavioral task
behavioral12
Sample
61d44476deb3368a54bb936e56a7aadb9226e78b88f67f939ed1cf0932f3263e.exe
Resource
win10v20201028
Behavioral task
behavioral13
Sample
6ee50d84fd4795440107550e6581ccb981f87dff2f216e5cc5a0314144b83ec3.exe
Resource
win7v20201028
Behavioral task
behavioral14
Sample
6ee50d84fd4795440107550e6581ccb981f87dff2f216e5cc5a0314144b83ec3.exe
Resource
win10v20201028
Behavioral task
behavioral15
Sample
82c04fda5985f51abe024bfda867bc3aaa0ffd26a500cd7cc40f8238df9b1eb5.exe
Resource
win7v20201028
Behavioral task
behavioral16
Sample
82c04fda5985f51abe024bfda867bc3aaa0ffd26a500cd7cc40f8238df9b1eb5.exe
Resource
win10v20201028
Behavioral task
behavioral17
Sample
a101cc8e9f1eac76c6fc006e9e746b59dc94b73e1358803ad94d70a0938d3a75.exe
Resource
win7v20201028
Behavioral task
behavioral18
Sample
a101cc8e9f1eac76c6fc006e9e746b59dc94b73e1358803ad94d70a0938d3a75.exe
Resource
win10v20201028
Behavioral task
behavioral19
Sample
b5674726f7f51d5880211f8ca8aea069bc6fc758794748117db27b8df25a12b0.exe
Resource
win7v20201028
Behavioral task
behavioral20
Sample
b5674726f7f51d5880211f8ca8aea069bc6fc758794748117db27b8df25a12b0.exe
Resource
win10v20201028
Behavioral task
behavioral21
Sample
c939f36967412e7e4c1a893ac6c9d38eee2d49516bd9168af2e0a33819ffe708.exe
Resource
win7v20201028
Behavioral task
behavioral22
Sample
c939f36967412e7e4c1a893ac6c9d38eee2d49516bd9168af2e0a33819ffe708.exe
Resource
win10v20201028
Behavioral task
behavioral23
Sample
de36168cfc6c51cd53027916aea1b4227ab736e517319804b826c8d4a3006149.exe
Resource
win7v20201028
Behavioral task
behavioral24
Sample
de36168cfc6c51cd53027916aea1b4227ab736e517319804b826c8d4a3006149.exe
Resource
win10v20201028
Behavioral task
behavioral25
Sample
eb9775066c55310131db50ee2606fb66353e4c694d5713abaddd2293806ac34d.exe
Resource
win7v20201028
Malware Config
Extracted
http://94.158.245.88/mae.ps1
Targets
-
-
Target
122de0842b4df547c9bddfb0b594a1b8f8b55da501c6f35b038153981cf1870d
-
Size
59KB
-
MD5
dc22d16b05f7a9f13d9ad89a95b7f08d
-
SHA1
4eb21124de55173e59aad88b4c22fde438ea9046
-
SHA256
122de0842b4df547c9bddfb0b594a1b8f8b55da501c6f35b038153981cf1870d
-
SHA512
17fe35bace47e1615fd98beb1fd54329a03b307edfee9fc9709ec1781549392a04a4334e8fc8019cadcf591a44b32408ca6416305aded35bcd34e59ecaf7effd
Score6/10-
Adds Run key to start application
-
Drops file in System32 directory
-
-
-
Target
21837bd6a795e92f326fe1a26523411408c5e8ad38054353c55ffc514e72b927
-
Size
1.7MB
-
MD5
45c57065809192c988346a5e2eb66a65
-
SHA1
2cbad3e97e9fee9a6a17009035fd871d0dadfd3a
-
SHA256
21837bd6a795e92f326fe1a26523411408c5e8ad38054353c55ffc514e72b927
-
SHA512
67948d65def21457283e4be5e31bf35098c4c2e27adcc808053920847277bf35b75061c9d36ca099b3bb0d822f8ad80aaa8a73a3f5f39ed0c4714d050c7e9afe
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
30131519d29744c302b7cc68898c5238358a75a0c01d398b3df894896620cbfc
-
Size
420KB
-
MD5
cde4bb46d908cdb0df9cde0f7636e0c0
-
SHA1
0cccbf4628cc325cb2528815524c9ed12ee19b35
-
SHA256
30131519d29744c302b7cc68898c5238358a75a0c01d398b3df894896620cbfc
-
SHA512
ea89ea2b365eaa0607ad5aac9308a2d94ea55794726243c32969d25cd435f327282396bc8abefdd5ffbec2dd652ed5b84ac28022caebe6ee00f32b407c7faaca
Score5/10-
Suspicious use of SetThreadContext
-
-
-
Target
3be39aebffed61e79f7bd2405d3e2722a1cf388a820b819ff76c1c1a132fd37a
-
Size
3.3MB
-
MD5
81c78d3e3e2ea4a6f5a7adc544472d9f
-
SHA1
5b0a43cfe170e65e2319eaf7ba69728a78b56094
-
SHA256
3be39aebffed61e79f7bd2405d3e2722a1cf388a820b819ff76c1c1a132fd37a
-
SHA512
2d3ca570619136bb260ef85b6b1296189a9cdde5d3cf97aa27137b875183a4f4afc2e66f129ac34f636a0a7355f1a1d204175b013164773cd9d5cb2f45bd88f5
Score8/10-
Executes dropped EXE
-
Adds Run key to start application
-
-
-
Target
5514456013c5492e1f41e7a6a59cba1bdc6d1555c5b169992aba575cb34cb0b8
-
Size
636KB
-
MD5
b9d330bf786b93b2a580336aa176ca41
-
SHA1
3e79a5acbd1d23d33bf085edc76e2f661342f1e7
-
SHA256
5514456013c5492e1f41e7a6a59cba1bdc6d1555c5b169992aba575cb34cb0b8
-
SHA512
461e95596805e059f8509b461c1ef56e6c8819c3c46b0198220b3dceef69d387e7f0d4f69163d9402751734253751060e60f0d4463da0c452ccab6c9e554b2b5
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
61d44476deb3368a54bb936e56a7aadb9226e78b88f67f939ed1cf0932f3263e
-
Size
2.4MB
-
MD5
efb11012c0ce5a01bc08049bf5ce5cdc
-
SHA1
20af0614df492419e4a61e3c7d148efa99aa3325
-
SHA256
61d44476deb3368a54bb936e56a7aadb9226e78b88f67f939ed1cf0932f3263e
-
SHA512
cb490a0718c46b18a7710b3341fc580105429c5300f09d3511f47964134fc2332ed97f074868708a8fe17607c666926362e0ca2d1945d0f6342239ea08bff852
Score9/10-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
6ee50d84fd4795440107550e6581ccb981f87dff2f216e5cc5a0314144b83ec3
-
Size
5.9MB
-
MD5
2a3a93cf80b22cce273abdff692e7aa9
-
SHA1
ea07ea21791230aab9b34220fe7dcc594383a046
-
SHA256
6ee50d84fd4795440107550e6581ccb981f87dff2f216e5cc5a0314144b83ec3
-
SHA512
06f180e1c839f5fe34edd3eca3a7ff1c6c1f6584b4b64041d69b7295632ca85d9b7a9498d8beab08e163a538af2e0a9c9615f172ff7ef5b06da81c552e657154
Score8/10-
Executes dropped EXE
-
Adds Run key to start application
-
-
-
Target
82c04fda5985f51abe024bfda867bc3aaa0ffd26a500cd7cc40f8238df9b1eb5
-
Size
220KB
-
MD5
9a525447cdf4fa9373df6b8b9990b755
-
SHA1
57a7c1c471b07995ec7313cbda4a385812b335a6
-
SHA256
82c04fda5985f51abe024bfda867bc3aaa0ffd26a500cd7cc40f8238df9b1eb5
-
SHA512
ba2cf07821ae8f80a38fa3717a205d0db58f122e5f25a5ea805c96c695de5ced0d0a97b4148f230dfffe1eb64f0567bd4696a7f08202fb2f6017be08cf22d1a2
Score1/10 -
-
-
Target
a101cc8e9f1eac76c6fc006e9e746b59dc94b73e1358803ad94d70a0938d3a75
-
Size
250KB
-
MD5
61bb311ad857020ee001efdab0e01cf9
-
SHA1
17f8830b258000086b4f17521a892ca95adcb212
-
SHA256
a101cc8e9f1eac76c6fc006e9e746b59dc94b73e1358803ad94d70a0938d3a75
-
SHA512
1fea2b332e826ab77bfb76eeb8ded46461bf2b6b19555ba103be55a61d4985f15e2f8486229d3714807f7611f97ebe85b43229cf832ed51e4ebdc69ef6fa6c70
Score8/10-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Adds Run key to start application
-
-
-
Target
b5674726f7f51d5880211f8ca8aea069bc6fc758794748117db27b8df25a12b0
-
Size
208KB
-
MD5
92509360c9dbc6816758f265859a5144
-
SHA1
0d1b8967ecfa1ce68b52191c624169851fad38fa
-
SHA256
b5674726f7f51d5880211f8ca8aea069bc6fc758794748117db27b8df25a12b0
-
SHA512
95a501a3b5912ab2f60534f90f4a18143d4091facf5019ff6ace03925cfc0d592e1fde6c0a4dd025d8245ba30ff5c2d5291edf0633bc374de37deaafbba87c95
Score8/10-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
-
-
Target
c939f36967412e7e4c1a893ac6c9d38eee2d49516bd9168af2e0a33819ffe708
-
Size
2.0MB
-
MD5
93cd33ee61e6fea5d670b5765a698be2
-
SHA1
de4d9ba17caabd7a8a7188f5d60d3683d93e3de5
-
SHA256
c939f36967412e7e4c1a893ac6c9d38eee2d49516bd9168af2e0a33819ffe708
-
SHA512
aff1dd7ae00cbc8f396113fc01178586ba9566fc50bd6cd01f34758229675d1eeb97f5e03d1dc709944d1db2daeec0a6a3e4c88b4cbe11fee10489bc917cd00c
Score8/10-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
de36168cfc6c51cd53027916aea1b4227ab736e517319804b826c8d4a3006149
-
Size
44KB
-
MD5
ab7a640c6b203e4675a45a08eb96a998
-
SHA1
89b5ba11a035ef784854c94df020d283b6802b82
-
SHA256
de36168cfc6c51cd53027916aea1b4227ab736e517319804b826c8d4a3006149
-
SHA512
0168c99f2a7a71f5bd8f629083288723f0e7997423e787af46828fabd3b887395ad31539e0623e6b0bbcd3dde926c7e4a68f78dcec088cc5e3ae227a34eadf55
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Loads dropped DLL
-
Modifies file permissions
-
Adds Run key to start application
-
Drops file in System32 directory
-
-
-
Target
eb9775066c55310131db50ee2606fb66353e4c694d5713abaddd2293806ac34d
-
Size
414KB
-
MD5
104d68ad37956b6b9ffe9a69effa6c57
-
SHA1
6e58c74c92ede192f323358d865f1ce94e69b33b
-
SHA256
eb9775066c55310131db50ee2606fb66353e4c694d5713abaddd2293806ac34d
-
SHA512
1aa56916792556d461c13343e37286eedbbf0b957a03d98f1916d1c797a036d88ec7f09baa02c45165dfc03b2b9bda6c056abe616abbf88b8f6dba338466bc49
-
Executes dropped EXE
-
Loads dropped DLL
-
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Registry Run Keys / Startup Folder
9Scheduled Task
2Hidden Files and Directories
1Modify Existing Service
1Defense Evasion
Modify Registry
13Install Root Certificate
1Hidden Files and Directories
1File Permissions Modification
1