Overview

overview

10

Static

static

8

BANK RECEIPT.exe

windows7_x64

10

BANK RECEIPT.exe

windows10_x64

10

BOL.xlsm

windows7_x64

10

BOL.xlsm

windows10_x64

10

Inv_399139_86191.xlsm

windows7_x64

10

Inv_399139_86191.xlsm

windows10_x64

10

Ordine 400...xs.exe

windows7_x64

10

Ordine 400...xs.exe

windows10_x64

10

PO.exe

windows7_x64

10

PO.exe

windows10_x64

10

STATEMENT ...NT.exe

windows7_x64

10

STATEMENT ...NT.exe

windows10_x64

10

SWIFT-MT10...df.exe

windows7_x64

10

SWIFT-MT10...df.exe

windows10_x64

10

inquiries ...B .exe

windows7_x64

10

inquiries ...B .exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    9c696cb9_by_Libranalysis

  • Size

    2.4MB

  • Sample

    210506-qagd5d9csa

  • MD5

    9c696cb9c1c105267728511ff6b56279

  • SHA1

    3e97c42c9a074393971f138eeda73c4d6848b3e4

  • SHA256

    63abc500d2a9f12692276d1cd2becc0ce16719ab69a69ea9827bd411f12b4291

  • SHA512

    0b73a172673b9b6db8e2b220661f48be803d7f805adc1511c0050c6f034f21e45603f52f63d461d2ca687380ae9c7ceb2d2c524dd662aea93d57e16fc96d3606

Score
10/10
agenttesladridexformbook10444botnetevasionkeyloggerloadermacropersistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.knighttechinca.com/dxe/

Decoy

sardarfarm.com

959tremont.com

privat-livecam.net

ansel-homebakery.com

joysupermarket.com

peninsulamatchmakers.net

northsytyle.com

radioconexaoubermusic.com

relocatingrealtor.com

desyrnan.com

onlinehoortoestel.online

enpointe.online

rvvikings.com

paulpoirier.com

shitarpa.net

kerneis.net

rokitreach.com

essentiallygaia.com

prestiged.net

fuerzaagavera.com

Extracted

Language
vba
URLs
vba.dropper

https://spacekicker.com/l6g9ann.gif
vba.dropper

https://arvacol.com/mm4rtgiv.rar
vba.dropper

https://www.stameco.com/a1wnyve.zip
vba.dropper

https://rowquinte.ca/ksx0l5.pdf
vba.dropper

https://appmc.servertrack.co/tldv5s7.pdf
vba.dropper

https://bohnke.nl/kh9vsgk.txt
vba.dropper

https://auditionsuite.com/nwn2v21.gif
vba.dropper

https://static.danfosterdesign.co.uk/lru8mnc.rar
vba.dropper

https://schalke04rss.de/qgahx29.rar
vba.dropper

https://www.club-bergwerk.de/aejibnslx.txt
vba.dropper

https://blog.robi2.hu/jhls4938.gif
vba.dropper

https://SiluetaSportsWear.com/xszw6zgx.txt
vba.dropper

https://geocache.altosaxplayer.com/a5k6di.gif
vba.dropper

https://stroimdomsami.pp.ua/a9jlwkg.zip
vba.dropper

https://m2.gameonlinefx31.com/aw57lpq.pdf
vba.dropper

https://gramosindia.com/hqhln1pg.txt
vba.dropper

https://arrowbo.com/u6hgcy.zip
vba.dropper

https://mail.izmirfujitsuklimaservisi.com/e7fmruu.txt
vba.dropper

https://mashroo3i.bh/fvvguy.zip
vba.dropper

https://cron.altosaxplayer.com/lp7smh.pdf

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://mayhutchankhong.tv/b6bgoms.txt

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://nsc.demasys.net/z5pkv7mb8.gif
xlm40.dropper

https://testnew.yourpageserver.com/h6em3w4c.jpg

Extracted

Family

dridex

Botnet

10444

C2

195.154.237.245:443

46.105.131.73:8172

91.238.160.158:18443

213.183.128.99:3786
rc4.plain
rc4.plain

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.abr.rs
  • Port:
    587
  • Username:
    finansije@abr.rs
  • Password:
    Royal-1111

Targets

    • Target

      BANK RECEIPT.exe

    • Size

      280KB

    • MD5

      6317a0b98ebd6f0ba716fc1b73b4bf31

    • SHA1

      6f593ad2588b2ca2e561f0b47c9654df9fd95932

    • SHA256

      a2e99d0aabd8f0ad83b885eccf313563526a58b2da435bf34dad29294c712efe

    • SHA512

      e29265b8cc385be1c86751dd04dd2a70d727e8e298cd0d0ca250c2c6515c8d1c189511c564de11cf9c3c85d3efed1e23f7ad4b91bcca156b6b7c4341195f449a

    Score
    10/10
    formbookratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook Payload

      rat

    • Deletes itself

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      BOL.xlsm

    • Size

      44KB

    • MD5

      56d32b6823bf5fd7d2360f423b62e9f2

    • SHA1

      cc45d98bea6687480fa5d35bbfafa3ca3b873304

    • SHA256

      00777c86e585397754f0e73a927bcaa3e39a4948d9bb28e758f0f5bfdac1eef4

    • SHA512

      49351436490b45c0935d2cc9ea53397e79748612f90c21c83d7f9082451eb0c3184929add7a4434b5bcbbc62cdbae219388d7326e562e502f11f33cbd75114cd

    Score
    10/10

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Suspicious use of NtCreateProcessExOtherParentProcess

    behavioral3behavioral4

    • Target

      Inv_399139_86191.xlsm

    • Size

      26KB

    • MD5

      498adcc5b1c0e59baa8779fb8a1b72df

    • SHA1

      e5c0063a99e22394ce84104ea5d775e48dbd70a4

    • SHA256

      7db855d25c3468c8b0cc6ed349e16f8611a875aa0c8b95b98c4c1845fc503c7b

    • SHA512

      0effc72caeb94dc7475c4371fdaa692676bf24fbcc2f79386e5f05f9012734afa46984d80547a2c1cf61f5b4d5574944d4ac24163b02aa39bf568f6b7a1884f2

    Score
    10/10
    dridex10444botnetloader

    • Dridex

      Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

      botnetdridex

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Dridex Loader

      Detects Dridex both x86 and x64 loader in memory.

      botnetloader

    • Downloads MZ/PE file

    • Loads dropped DLL

    behavioral5behavioral6

    • Target

      Ordine 400225.xlxs.exe

    • Size

      565KB

    • MD5

      39541aa8dbd218a6f461dd96c336a018

    • SHA1

      0fe5d981ecd0282efadb0a68dbb83b5ab941e227

    • SHA256

      ab6679b01e9981f3deb6bc1fb9bd165649c23ae2e3aca6c20293be08eec61fa4

    • SHA512

      84078406c12e7bbd754defd1cb5b06321ff4fa312e48987655d4b15e1072931e8b5c5c35a3aaec05f6db87537f5e61a8ec54467e11e7006fc64993616322a4b1

    Score
    10/10
    agentteslakeyloggerspywarestealertrojan
    behavioral7behavioral8

    • Target

      PO.exe

    • Size

      228KB

    • MD5

      2593eef7b38e160b9697f2479fa8843f

    • SHA1

      25d4d88f321321fb5b2b316fd5dbcd5bb144daa1

    • SHA256

      b35de004189f271fe754dd614e5fbbc299425f5aca9ebf1f935bf26696964853

    • SHA512

      c5beb57aae9c18ca5d7d73954216abc6a07871666d08a654d7b5d8e1d25b0defe9ca66eee77325bed03870a39757c85df13f868472447369bd2903ba05336a21

    Score
    10/10
    formbookratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook Payload

      rat

    • Deletes itself

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral9behavioral10

    • Target

      STATEMENT OF ACCOUNT.exe

    • Size

      387KB

    • MD5

      5932bd9d5a231f2dce386609a1c80ba9

    • SHA1

      94b257813d301d75895d0fee69a8acc224cca82e

    • SHA256

      14e48e373fee4fafef99517fba97e5ea5727f764a0b92509b307f9387679dd64

    • SHA512

      c10ca6caa068086aef9e36aab1ec8ae9f83367a30fa213d54fcfd5c77f0115e1b4017ddb77cf28bae3761d75ee0118241eb413613cecf4431820d526a7ba967c

    Score
    10/10
    agentteslakeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral11behavioral12

    • Target

      SWIFT-MT103_10262020.pdf.exe

    • Size

      962KB

    • MD5

      d45ea472e02716273a88ec6093443db5

    • SHA1

      bfccdf852c01557bf54eb5dd018c34f28f4c9df4

    • SHA256

      02eca93ecccb20370063ee84fc8b50f70bdc84ced1c5e09016ea7c06e7946a51

    • SHA512

      bcee0231d25468be11ebf6ad07f62c1e147e5a0a5c009f4d931b878ea6d494b39700bf0bc0b3a566ae8a556ef9b234cdbc7f2285182515fe533c2fdadd05a161

    Score
    10/10
    agentteslakeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral13behavioral14

    • Target

      inquiries for WCB .exe

    • Size

      990KB

    • MD5

      931935b4df4ffdbdf7fe06ddd0ec7cd1

    • SHA1

      f41f4148962f5d0a6181c0cdf51e1d7c5b6ede8b

    • SHA256

      5a5953c3eb2a3f323e0eeb4b30092026004a2408eadedd96818e505d26f7f846

    • SHA512

      dc0e1bccf64bb8b4ff39fc1443d9f9c3c7ac90e4ac7b91bf58c75a28b3ca1736a238cd2d08f0eaed2212e21726fb438bd4fb977af29b278cb99b19831ab3487e

    Score
    10/10
    agentteslaevasionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral15behavioral16

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1
T1059

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Credentials in Files

6
T1081

Discovery

System Information Discovery

11
T1082

Query Registry

8
T1012

Virtualization/Sandbox Evasion

2
T1497

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

6
T1005

Exfiltration

Command and Control

Impact

Tasks

static1

macro
Score
8/10

behavioral1

formbookratspywarestealertrojan
Score
10/10

behavioral2

formbookratspywarestealertrojan
Score
10/10

behavioral3

Score
10/10

behavioral4

Score
10/10

behavioral5

dridex10444botnetloader
Score
10/10

behavioral6

Score
10/10

behavioral7

agentteslakeyloggerspywarestealertrojan
Score
10/10

behavioral8

agentteslakeyloggerspywarestealertrojan
Score
10/10

behavioral9

formbookratspywarestealertrojan
Score
10/10

behavioral10

formbookratspywarestealertrojan
Score
10/10

behavioral11

agentteslakeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral12

agentteslakeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral13

agentteslakeyloggerspywarestealertrojan
Score
10/10

behavioral14

agentteslakeyloggerspywarestealertrojan
Score
10/10

behavioral15

agentteslaevasionkeyloggerspywarestealertrojan
Score
10/10

behavioral16

agentteslaevasionkeyloggerspywarestealertrojan
Score
10/10