General
-
Target
mal0130-01.zip
-
Size
90KB
-
Sample
210130-ggny5cpma2
-
MD5
f3ed0eb78f197a073b27eed438c1e639
-
SHA1
0ee03a3233fba2d8e37a712bafdf5d9eafd4373c
-
SHA256
2de2d3dd8d844dbc36860caf58f195ae37086c5b109ee43a367c7c8dc729b09c
-
SHA512
07be10aabe90a3131acc47fb2e8834ddf953fd77cf94d2014cb8ea86ec35aa25ea7300f532a68f198b3051b5e8b6843d7af8a7e2f7af2271a271621f55afde97
Static task
static1
Behavioral task
behavioral1
Sample
BL - Draft Copy.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
BL - Draft Copy.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
PL - Draft Copy.exe
Resource
win7v20201028
Behavioral task
behavioral4
Sample
PL - Draft Copy.exe
Resource
win10v20201028
Malware Config
Extracted
lokibot
http://luxlogics.ml/officem7/logs/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
BL - Draft Copy.exe
-
Size
224KB
-
MD5
c041005a920e170e50a10d10e5a4371b
-
SHA1
e07ab8cb54bd043ba74073a098ee6fd5f7988342
-
SHA256
94d6889f51654243db239a73cb9aba8f1061c975b6e839690656afb7754e63f2
-
SHA512
3ea26df8608b11367a6e2b25e1fd64cac7ea874602d6e6464c8f177d649b6c38c0d24548f425229000b3e1ab3037e3a363ca0250c476b9f28ffe00985529bb31
-
Suspicious use of SetThreadContext
-
-
-
Target
PL - Draft Copy.exe
-
Size
35KB
-
MD5
f954d35e0c8838192a964d23ebb4e3fd
-
SHA1
92877ce8344494eac69c7c2f01c68b82129eba68
-
SHA256
a1ebb1d0e224cba9c8465e76ff6e4531753f933a01b2cc5b44ae4257f3d65df7
-
SHA512
27adbf21c5e699e7c047dab1d30e56aae698c1f2714f0a7987ea0531a17a113a541b2e2ac008a135145eecdc1c9b2f675bf225e7dd4742ece6d5d84b261ee30f
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext
-