Overview

overview

10

Static

static

8

Fattura_01137434.xlsm

windows7_x64

1

Fattura_01137434.xlsm

windows10_x64

1

Fattura_01438445.xlsm

windows7_x64

1

Fattura_01438445.xlsm

windows10_x64

1

Fattura_01634446.xlsm

windows7_x64

1

Fattura_01634446.xlsm

windows10_x64

1

IMG_056_107_0282.exe

windows7_x64

10

IMG_056_107_0282.exe

windows10_x64

10

IMG_056_107_0282.xlsx

windows7_x64

8

IMG_056_107_0282.xlsx

windows10_x64

1

IMG_5018_330_92.exe

windows7_x64

10

IMG_5018_330_92.exe

windows10_x64

10

IMG_5018_330_92.xlsx

windows7_x64

8

IMG_5018_330_92.xlsx

windows10_x64

1

PI.exe

windows7_x64

10

PI.exe

windows10_x64

10

cks.exe

windows7_x64

10

cks.exe

windows10_x64

10

Scan_018819.exe

windows7_x64

10

Scan_018819.exe

windows10_x64

10

slot Charges.exe

windows7_x64

10

slot Charges.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    download(1).zip

  • Size

    2.7MB

  • Sample

    210513-9mnj9w9st2

  • MD5

    1aedf56f92f2f249368faac63a02c136

  • SHA1

    793e20860b95bf9a55eb78505b83368b2a11856a

  • SHA256

    40713f300e2694a2f2e99d63fb94b1cd3d8cc01c33a801256103fcda45f94717

  • SHA512

    cafe4faacabe2844157bdc695bb08ca04a049296b4aee2e79c4e8f6cb6275e64d054ebf2d908bbc4168746b6ec1333d693667ba9fea5435a75ebc1e501bd45d8

Score
10/10
agentteslaformbooksnakekeyloggerxloaderkeyloggerloadermacroratspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    sixjan.xyz
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    H^i?T2&gWQ({

Extracted

Family

formbook

Version

4.1

C2

http://www.knighttechinca.com/dxe/

Decoy

sardarfarm.com

959tremont.com

privat-livecam.net

ansel-homebakery.com

joysupermarket.com

peninsulamatchmakers.net

northsytyle.com

radioconexaoubermusic.com

relocatingrealtor.com

desyrnan.com

onlinehoortoestel.online

enpointe.online

rvvikings.com

paulpoirier.com

shitarpa.net

kerneis.net

rokitreach.com

essentiallygaia.com

prestiged.net

fuerzaagavera.com

Extracted

Family

xloader

Version

2.3

C2

http://www.onyxcomputing.com/u8nw/

Decoy

constructionjadams.com

organicwellnessfarm.com

beautiful.tours

medvows.com

foxparanormal.com

fsmxmc.com

graniterealestategroup.net

qgi1.com

astrologicsolutions.com

rafbar.com

bastiontools.net

emotist.com

stacyleets.com

bloodtypealpha.com

healtybenenfitsplus.com

vavadadoa3.com

chefbenhk.com

dotgz.com

xn--z4qm188e645c.com

ethyi.com

Extracted

Family

snakekeylogger

Credentials

  • Protocol:     smtp
  • Host:
    smtp.netalkar.co.in
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    sih70111

Targets

    • Target

      Fattura_01137434.xlsm

    • Size

      45KB

    • MD5

      589908c69f247ea72c95f5ddb73cc754

    • SHA1

      fd09c95120b2e9a9cbfaabc020692ef6033de489

    • SHA256

      c29e9174d9c04bfbfdea49fe3804230bec0d893a1e6c6efa8fd5a6f9df59aaec

    • SHA512

      f04a7612eed879b56a3638aaf8aa093143f336e77f6641a6d66ba7618f67dcf13970d094079030564bc86dc706e5deb8d5f2466ea2e9320ccd3ae22b9c034291

    Score
    1/10
    behavioral1behavioral2

    • Target

      Fattura_01438445.xlsm

    • Size

      45KB

    • MD5

      e0a02acd4eaf58bb9b3da7d0dc607012

    • SHA1

      5a87d1cc341aa97ccc3212004c7e9941be907250

    • SHA256

      257081cff751b50290e6de748093ea672c1bafd4d18666e831c6cdf088cfd93e

    • SHA512

      6d3b52627f31238afa13c2c302f66f1816f593ce6c62f72eb1fb1afb355b3a368a0fadf9c718e81b5b62d616bc98f991778b8dfded3091dacff50e85f8697d90

    Score
    1/10
    behavioral3behavioral4

    • Target

      Fattura_01634446.xlsm

    • Size

      45KB

    • MD5

      392763f30bb23fd59109e1c70df61888

    • SHA1

      5e14aa49a49bbeb9666e5f9fa819ff3821abb739

    • SHA256

      05ed6d423552ca65cdc01d9329bade7ef4437e55304a6794baca37d175ee515b

    • SHA512

      25746152a3d25ef6f796e250504deb93edff19c3ba88b86fe04381dcfd3a8942bd46e63aaef62f8a6e8e27a204ada13d1e77bd7db9bae39136ac81806898d622

    Score
    1/10
    behavioral5behavioral6

    • Target

      IMG_056_107_0282.exe

    • Size

      439KB

    • MD5

      ea5bb3942f552e56ca59617b5eac93ec

    • SHA1

      49d672af670d0ecae7465b385187deb0b4bcd21a

    • SHA256

      8f40cf7d57b7aeefc1e920d6f4f0048d8a233f5153250e50538e7b4481401c1c

    • SHA512

      34cc132f44bb5708c588bfcb060d58df57a0566587214b3f91437489eefbc6534b3986bc0ebf0f9acd4b7f4f3be63d23ba6cc52aa71a1ed154aa542ec5e6989c

    Score
    10/10
    agentteslakeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral7behavioral8

    • Target

      IMG_056_107_0282.xlsx

    • Size

      37KB

    • MD5

      b35ed4ff6e0b758668661a55bc85c9ed

    • SHA1

      494be81f66f21e809eaa3009dd29cbccecc532ab

    • SHA256

      46065af1a7719e79393430eb1d24ef8c4040cb9ac5a69962e536d0760bc57f9f

    • SHA512

      fbcf2c09684403bd3f329b4036a1081c4dfee949aced80f31b092888c0516aeab197094e0640d7ba7ae2e0b48601134e5d41defd2ff428596f9e01b5c8fe39e3

    Score
    8/10

    • Blocklisted process makes network request

    behavioral9behavioral10

    • Target

      IMG_5018_330_92.exe

    • Size

      723KB

    • MD5

      ad44d5764bd7ad4db1e725b66f01498e

    • SHA1

      2d64033647906613abfbe2da8176b768d88b9fd5

    • SHA256

      798cecbce0139e502fd6b23a7d147480d25a168d93131ba2e59f5b81ddbebb28

    • SHA512

      73b295ff876fdcee2ba8c3d2a71a479ac5aeda69d7d4b9f42067c98cafc954925309f2f2ebf4a110844466a03a163bd211a67fcd5aac8f56195bcdf69bbeba6a

    Score
    10/10
    agentteslakeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral11behavioral12

    • Target

      IMG_5018_330_92.xlsx

    • Size

      754KB

    • MD5

      7eaef19cc024f1c43914647e109c00c1

    • SHA1

      7e1a1ff19263d373fcb57548ca272b746251c5ee

    • SHA256

      9309d81abeb0a8e779dcd9e63f6ec4ac8dc106b86b723adb42a0004af47b3e0a

    • SHA512

      08addc8890180ece19ca31a2956e5e7e3e547721d3271923ee616cadcae5432744720378fb972c9bcf219e1f2917bfce891117db3a885450455ce66e503ecd05

    Score
    8/10

    • Blocklisted process makes network request

    behavioral13behavioral14

    • Target

      PI.exe

    • Size

      226KB

    • MD5

      c47d03f8f3f8384bd50384c41d9a072c

    • SHA1

      859109ea27ca30e0c96d8133c04d0b1e241b84f1

    • SHA256

      d0116b0ea676a655b1d55a2b7a79fb2585c1d04803e9d1d6f9cd1da15f789138

    • SHA512

      a16851638fd1afd5e2353407e9af35549bb1d9e5d8c58e763ba1027df374315672df5eedcab2d5875feab06f2593d393d979c870658afcb8ce3ed719f17eaa79

    Score
    10/10
    formbookratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook Payload

      rat

    • Deletes itself

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral15behavioral16

    • Target

      cks.exe

    • Size

      270KB

    • MD5

      5ef9a3e77b5855883de9e1a54ea8674c

    • SHA1

      f169db5236e2362301c0f8a009da7f175bf598d0

    • SHA256

      044a48e38a2ce6f76042fae04889fb81e2563933d63c28532b4dba27b7599add

    • SHA512

      b3c7ef452b1d65e531b40acdcee78b7630989fe3a4569e73400503c2533097f96a1193103d8f9b8df7df524c1fcaa3809ddcaecc0cab66d57d7cf92697d129e0

    Score
    10/10
    xloaderloaderrat

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader Payload

      rat

    • Deletes itself

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral17behavioral18

    • Target

      Scan_018819.exe

    • Size

      1.0MB

    • MD5

      64325f0e08a364425cb97715a58457af

    • SHA1

      1f2efb3e59fc7120d00c282629eeda230c415a15

    • SHA256

      3a11e93d6c4a21ff966d34fd500c81e69ecd4b63d6906623d3b37ecf4d60bebd

    • SHA512

      ccc2ee4bc6c143d5b59c4a6732de75450d4712b95e2e9db3c815a9f4c78f83761a45e711cfd8843fa8fe7fc8d4d3dfafb1f8b04bc4e3e0363da71a3b8a6c61ca

    Score
    10/10
    snakekeyloggerkeyloggerspywarestealer

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Snake Keylogger Payload

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral19behavioral20

    • Target

      slot Charges.exe

    • Size

      205KB

    • MD5

      5830b69895c4f5b70d2f5c94cd718fa6

    • SHA1

      4ccc32740d632777fd30c8029ca2ef6c3def984c

    • SHA256

      735d11c1fa476083846e9e622af57a902ff20be1a1bbce7d8ec9f7f4179d1bb3

    • SHA512

      a7763bd57e9e107992b7073ad02d0dc7981696a2cb7449ee20f8e5b233e61f5f029af23348c5225469c68c015ba8e20e18c8bd5f0b949863b620363edc24dd79

    Score
    10/10
    xloaderloaderrat

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader Payload

      rat

    • Deletes itself

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral21behavioral22

MITRE ATT&CK Enterprise v6

Tasks

static1

macro
Score
8/10

behavioral1

Score
1/10

behavioral2

Score
1/10

behavioral3

Score
1/10

behavioral4

Score
1/10

behavioral5

Score
1/10

behavioral6

Score
1/10

behavioral7

agentteslakeyloggerspywarestealertrojan
Score
10/10

behavioral8

agentteslakeyloggerspywarestealertrojan
Score
10/10

behavioral9

Score
8/10

behavioral10

Score
1/10

behavioral11

agentteslakeyloggerspywarestealertrojan
Score
10/10

behavioral12

agentteslakeyloggerspywarestealertrojan
Score
10/10

behavioral13

Score
8/10

behavioral14

Score
1/10

behavioral15

formbookratspywarestealertrojan
Score
10/10

behavioral16

formbookratspywarestealertrojan
Score
10/10

behavioral17

xloaderloaderrat
Score
10/10

behavioral18

xloaderloaderrat
Score
10/10

behavioral19

snakekeyloggerkeyloggerspywarestealer
Score
10/10

behavioral20

snakekeyloggerkeyloggerspywarestealer
Score
10/10

behavioral21

xloaderloaderrat
Score
10/10

behavioral22

xloaderloaderrat
Score
10/10