General
-
Target
1.zip
-
Size
15.1MB
-
Sample
210720-qzslezkv7n
-
MD5
fdaf6ea51dd2ffb3be6358964aebc2df
-
SHA1
a9b145cc736a1f2a34e800c65bf8191e151a1514
-
SHA256
bf3f46097c7766605ef2b6744d7ce077b1bb58cdccc17166e85882fc6403b38b
-
SHA512
1b2327d4eca1ab0acde2101d19ee1ab8835723959786162d73f23f7adf58eda566fd607b166de788783f17dbd54c065d6d9899f515f91334b497e26445fe3370
Malware Config
Extracted
formbook
4.1
http://www.daisy.wtf/b3pa/
http://www.valiantfinancial.net/hth0/
hghcity.com
mrk.today
ozkanmuh.com
hometex-peru.com
angelrdixon.com
sexquisitelife.com
coopereyewear.com
scaylee.com
seed-auctions.com
peachythings.com
jessicamooneyot.com
bestofbaldwincounty.com
redbirdcabin.com
padirondack.com
concourspolice.com
luissusarrey.com
brandymason.com
mirsaytov.com
kcxxg.com
kimballmccoyandassociates.com
Extracted
remcos
3.1.5 Pro
JUNE BUILD
eter101.dvrlists.com:2050
eter103.dvrlists.com:2050
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
5
-
connect_interval
3
-
copy_file
explorer.exe
-
copy_folder
Windows
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%UserProfile%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
rem
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
backup-4JVH3M
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
iexplorer
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
wikipedia;solitaire;
Extracted
agenttesla
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
info@fabricationsystems-ug.com - Password:
wLoCM^c3ceo1
https://api.telegram.org/bot1880141509:AAHjseWsCVnzygKB72YGbdj6S0DpdeKfGSs/sendDocument
Extracted
asyncrat
0.5.7B
adikremix.ydns.eu:3030
AsyncMutex_6SI8OkPnk
-
aes_key
EVf3iXPqVeGNfM0v7OFtNSBkmxCEVuQk
-
anti_detection
false
-
autorun
true
-
bdos
false
-
delay
Default
-
host
adikremix.ydns.eu
-
hwid
5
- install_file
-
install_folder
%AppData%
-
mutex
AsyncMutex_6SI8OkPnk
-
pastebin_config
null
-
port
3030
-
version
0.5.7B
Extracted
lokibot
http://manvim.co/fd3/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
https://pualofficelogs.xyz/x/chinadus/fre.php
Targets
-
-
Target
Restore Messages003.exe
-
Size
629KB
-
MD5
43c163d00f21b33ed94f4b52fe8e83f4
-
SHA1
9452bf56d750fb37d7f2374ceb2c30b0953098a6
-
SHA256
534d8b4992d534bc90055bab8ad3f479f29d613d573a42cf7e136dd84153b48b
-
SHA512
3ddb76ced0bec5ae2c689572d94b2730598d19837211f4ebebbf54130804eba5c6ec0508abefda57f4f2bd1bb334d496d8cc0e167f9069b6266d2f1303d01d2f
Score10/10-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Formbook Payload
-
Deletes itself
-
Suspicious use of SetThreadContext
-
-
-
Target
060106363494814da48982a85e4c66f5d52e84a537dbb4acbc55067301d88679
-
Size
44KB
-
MD5
2cc78d26d93badb6c68a2dc45739c0d9
-
SHA1
17b759f3eef0c9c5a7edeb645e6c8853210e3d53
-
SHA256
060106363494814da48982a85e4c66f5d52e84a537dbb4acbc55067301d88679
-
SHA512
fbb2988cc0a586891e322242663272be6d0b2865728d34080a4d83812e283bc065397d38ead3d2386086e954de4bbc9d8079760aa9c71c8896c0ceb7cf917f54
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Drops file in System32 directory
-
-
-
Target
0b1970568987b6e2a949dde9d4e249d704cbfaf622c80741db02dd711838abff
-
Size
574KB
-
MD5
ccd4f46c1d959ad230d010b08c6b7c4e
-
SHA1
a03177c897a58c09c358fecf75ce6c2929182578
-
SHA256
0b1970568987b6e2a949dde9d4e249d704cbfaf622c80741db02dd711838abff
-
SHA512
3a7c932f423096428625f1023d2bc827f8a7103000a7d783b7415c436fde93a05ae1b19b383826e2bbde349c640e3c8ccbd6e9336e9c4c597371d4781dc507fe
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Suspicious use of SetThreadContext
-
-
-
Target
0f5f5f5134295164f769b3a5555c86ab37b94284a7fc61cd1bbbdd496b80c25b
-
Size
353KB
-
MD5
7f4fd0681d3a4feb838e6fa73e8b50b8
-
SHA1
0f2b98ee6967a599347a5880ba308cef155758b1
-
SHA256
0f5f5f5134295164f769b3a5555c86ab37b94284a7fc61cd1bbbdd496b80c25b
-
SHA512
4327615f57eaac3a5b30c37d46021032f385260128171e64e87a9ce187c2d8226e33420f1ce4774341b08e23b7a7448adfc921d28539dda6e702fef6e4a81924
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
188bcacd74aabebec45f6a24175295ed574de65516021c9f0739dff3e9666a6f
-
Size
963KB
-
MD5
8cf3b072e1e057c7e05e2874b0c1deea
-
SHA1
3e38118f82a4657c52e9b0c8f5562da1112ce23a
-
SHA256
188bcacd74aabebec45f6a24175295ed574de65516021c9f0739dff3e9666a6f
-
SHA512
cccb67aa3c7e0d67e85831d4ddca12dd49b893411bebcf1dfcc9505f7ac5d0f61076d45fadc21f7fd6daf3e2f56ac659f0cff9aaa64a73539ad74d8b10483831
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Suspicious use of SetThreadContext
-
-
-
Target
1c2e4fc620772752079b05cdd904aa18a3482066e3b6f11f5a798f6a278b9f78
-
Size
650KB
-
MD5
5a820a226623093301ad865be17e1790
-
SHA1
472cbc48b55eb69678461638970f042bbe4dbf44
-
SHA256
1c2e4fc620772752079b05cdd904aa18a3482066e3b6f11f5a798f6a278b9f78
-
SHA512
885c63be102c1a810c72afbccc374297e645ebe9a5e34c80e9d222e1b853e5cbffcbe3d457f9cf20ef3947b179a72d8a15147ab3a9d43a5140e9146c8c5d5e4c
Score3/10 -
-
-
Target
1e39513b16501c1ff55a8a9d4c7b4b27ad067f3063002541b74b43e547ca8bf8
-
Size
167KB
-
MD5
af0fd90844b27503b3b3114f9da51fd1
-
SHA1
c87e413cfb905d386c69bfc234ce521301c70573
-
SHA256
1e39513b16501c1ff55a8a9d4c7b4b27ad067f3063002541b74b43e547ca8bf8
-
SHA512
8769aac29d21418294f2f127c416ee97c847504eea49df491b6fee80cdb604c2b2ca8657b0926500b58afbc888d2e26fcf9291dac46c5c86e090095de7c78751
Score6/10-
Legitimate hosting services abused for malware hosting/C2
-
-
-
Target
TT COPY.exe
-
Size
837KB
-
MD5
ba13e04243a1c130a961577665e081cd
-
SHA1
dee255022621fe995ac13d6f236b6b82e612382a
-
SHA256
9613a9091f407470785d30cda2e384ae38fef3b2ad693ee00f2c65f59aada2c0
-
SHA512
682f3ad0c13fd4234a38791279f51ba1047c0b358de2fdb6fa658facc19bdbe9d8b2091458c65f92250588975883013dcbbf21f836bf54a6226f53f0e4678c12
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Drops file in Drivers directory
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
29e897846dad42a2a15e6059927ed91f98a8ef5cf6fa13b2b08ef48b6e951d9c
-
Size
71KB
-
MD5
64e57b2742504c9bfbf14599c5810b61
-
SHA1
7ca86f35cd340ee753490d7563caf1af888cc971
-
SHA256
29e897846dad42a2a15e6059927ed91f98a8ef5cf6fa13b2b08ef48b6e951d9c
-
SHA512
e1fd43ee037914bcc05dc9ea9ef2d96a5353b924d88eab5a31fb4e7eb9b1f97a42fd95dc3481126506b6780f19aa120436b8d14a75cf155b59bcf6a7d8d1cebb
Score1/10 -
-
-
Target
31c031a7f6fb39ba50153376ee653388d606a8bc1268954460de5d37f91e4621
-
Size
882KB
-
MD5
d834b46d46ca7e6237042698ea004216
-
SHA1
4850d34d0cffba2103621564ad6768f97e6cdff2
-
SHA256
31c031a7f6fb39ba50153376ee653388d606a8bc1268954460de5d37f91e4621
-
SHA512
81b3a293ae93947db2b81738c3addd5d7e61af480c2138066bfad4669b7431afc63d3b6a33d50bd5bb2a5122bad924a335247c4aca6d23902ce981c336bb619f
Score10/10-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
-
Async RAT payload
-
Executes dropped EXE
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-
-
-
Target
476b568daffd903ccc4cde8c7f8d643eaba306fcad74e2f90dff37504bb11292
-
Size
903KB
-
MD5
894de816474f339e15cc443c3a9bfdc6
-
SHA1
f5e1a9fe6eb9d41b860b4a25bce927201118262e
-
SHA256
476b568daffd903ccc4cde8c7f8d643eaba306fcad74e2f90dff37504bb11292
-
SHA512
81863a5c0d1bd420dc6b9fd057a2c0dfa68601a7e090c06d731da21a5920d45ce8273d5069367a7063438afa5dc869e679ed87af166d96bf1dc8c863cee7cc3a
Score10/10-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Suspicious use of SetThreadContext
-
-
-
Target
4975909b70555a443f8acbb22ef17f932eed445bf52148043ca4a1cc10e43264
-
Size
1.3MB
-
MD5
6efa62d808261b970ec5fbb108b9ef49
-
SHA1
90b1e50fb263d2d97e4197725079efe0da7032db
-
SHA256
4975909b70555a443f8acbb22ef17f932eed445bf52148043ca4a1cc10e43264
-
SHA512
3fefcfaa0080e548bcc970fffd625fa7a6852fe8cd566d4d6b55e9830b0bcbcba44b53dc21fdbdf5dd890d37311c33f8e747ce8a5b75cdf1d8e9d8f4f2fec9fb
Score1/10 -
-
-
Target
4c0c8cbb0e933f865862852967071eb6908bca3c610d2b14a77149d756db00fe
-
Size
1.5MB
-
MD5
c2ab0821f7a097b7f3ef7d45cf321bf6
-
SHA1
7939cb0bedbece4eb9e5c75874c7701086e688d2
-
SHA256
4c0c8cbb0e933f865862852967071eb6908bca3c610d2b14a77149d756db00fe
-
SHA512
0f295995ba2c9fce2686560c73f073c8b67788420700fea26e7b344010094230ac04569eb23cfee63c141c40adbc8897226fdb76799d2d0b502d0133eee6eae4
Score10/10-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Formbook Payload
-
Suspicious use of SetThreadContext
-
-
-
Target
8017a07f03965d9490f9cdbba68ff3a3580441ca0e76b140f1e4bb939c4073b3
-
Size
712KB
-
MD5
01db26749ca18d3d1cadcdb367ac18ca
-
SHA1
6eb78092e667f7375177e5da42bd302a4e00c670
-
SHA256
8017a07f03965d9490f9cdbba68ff3a3580441ca0e76b140f1e4bb939c4073b3
-
SHA512
f31aecdb134bd0f0177e4466aa3fe540b4518f3e95a6c8e4549d609bf99e13ea7ee051e030664d57a5d0b20ec848407e5dbd58c2a69130d015c8099f248439a4
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
-
-
Target
8f23d20d11602a29f56c47a6efad0cffbd43a32c7fb4f2df5ebf4c5bace60d8d
-
Size
666KB
-
MD5
4f5b0c1289ea63135ea4dc6d618b1132
-
SHA1
b59ab1055f5155054f50ff573844b5250a0963a1
-
SHA256
8f23d20d11602a29f56c47a6efad0cffbd43a32c7fb4f2df5ebf4c5bace60d8d
-
SHA512
cede740a19ac4d77cc8072c36a604041a012f3a0ec5f69d8ca8dce01714b0bde596d84a6c98d9f11ada6c0237fd526d5f28b9bdb1bf86eea7c391214c5781478
Score10/10-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Suspicious use of SetThreadContext
-
-
-
Target
90f026ae8692c2199e2a5e8ea618c93ff00fd5d07ac974191ca5f060c1f7c737
-
Size
665KB
-
MD5
f4551cadd68cf58e1ea86d3664eefd4c
-
SHA1
e184513a01eb1dd3a34998f6f3c756681687eb90
-
SHA256
90f026ae8692c2199e2a5e8ea618c93ff00fd5d07ac974191ca5f060c1f7c737
-
SHA512
e52f815e10d145b0f81630ab60c87644cfb6ba53e026f367d5d29ce096bdc3b4db772456bb3df0e40ccc68f08648a27b520a923a05d4c24f8faf45be63efd843
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Suspicious use of SetThreadContext
-