Overview
overview
10Static
static
23-07-2021...df.exe
windows7_x64
323-07-2021...df.exe
windows10_x64
323-07-2021...r .exe
windows7_x64
1023-07-2021...r .exe
windows10_x64
10New order ...df.exe
windows7_x64
10New order ...df.exe
windows10_x64
1023-07-2021...at.exe
windows7_x64
1023-07-2021...at.exe
windows10_x64
1023-07-2021...2).exe
windows7_x64
1023-07-2021...2).exe
windows10_x64
10Payment copy.pdf.exe
windows7_x64
1Payment copy.pdf.exe
windows10_x64
1023-07-2021...TA.exe
windows7_x64
1023-07-2021...TA.exe
windows10_x64
1023-07-2021...PY.exe
windows7_x64
1023-07-2021...PY.exe
windows10_x64
1023-07-2021...at.exe
windows7_x64
1023-07-2021...at.exe
windows10_x64
10payment re...df.exe
windows7_x64
10payment re...df.exe
windows10_x64
10General
-
Target
23-07-2021.zip
-
Size
5.0MB
-
Sample
210725-aavyyb3kkj
-
MD5
8fb2af5b5c47aa834f59f0465d51c67d
-
SHA1
c3d6afe050bb344386c81f5546c7329ae9984763
-
SHA256
2f13f6e9fee8ddc78cf064f255b4885dbf51f69b029648e21a2f24973467fc19
-
SHA512
8ccde01c889fcd0f2f2c0458eeda63ad3b60ae189a12922f3120aec0596734c1ffd1ee86a9115f678ce0bd0207521e7cdf18cf34ec597b02e171dfb0e131ec5b
Static task
static1
Behavioral task
behavioral1
Sample
23-07-2021/????????-pdf.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
23-07-2021/????????-pdf.exe
Resource
win10v20210408
Behavioral task
behavioral3
Sample
23-07-2021/New Order .exe
Resource
win7v20210410
Behavioral task
behavioral4
Sample
23-07-2021/New Order .exe
Resource
win10v20210408
Behavioral task
behavioral5
Sample
New order 11244332.pdf.exe
Resource
win7v20210410
Behavioral task
behavioral6
Sample
New order 11244332.pdf.exe
Resource
win10v20210408
Behavioral task
behavioral7
Sample
23-07-2021/ORIGINAL DOCUMENTS.bat.exe
Resource
win7v20210410
Behavioral task
behavioral8
Sample
23-07-2021/ORIGINAL DOCUMENTS.bat.exe
Resource
win10v20210410
Behavioral task
behavioral9
Sample
23-07-2021/PREVENTIVO RICHIESTO (2).exe
Resource
win7v20210408
Behavioral task
behavioral10
Sample
23-07-2021/PREVENTIVO RICHIESTO (2).exe
Resource
win10v20210410
Behavioral task
behavioral11
Sample
Payment copy.pdf.exe
Resource
win7v20210408
Behavioral task
behavioral12
Sample
Payment copy.pdf.exe
Resource
win10v20210410
Behavioral task
behavioral13
Sample
23-07-2021/RICHIESTA DI OFFERTA.exe
Resource
win7v20210408
Behavioral task
behavioral14
Sample
23-07-2021/RICHIESTA DI OFFERTA.exe
Resource
win10v20210410
Behavioral task
behavioral15
Sample
23-07-2021/SWIFT COPY.exe
Resource
win7v20210410
Behavioral task
behavioral16
Sample
23-07-2021/SWIFT COPY.exe
Resource
win10v20210408
Behavioral task
behavioral17
Sample
23-07-2021/Swift.bat.exe
Resource
win7v20210410
Behavioral task
behavioral18
Sample
23-07-2021/Swift.bat.exe
Resource
win10v20210408
Behavioral task
behavioral19
Sample
payment receipt.pdf.exe
Resource
win7v20210410
Behavioral task
behavioral20
Sample
payment receipt.pdf.exe
Resource
win10v20210408
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.alruomigroup.com - Port:
587 - Username:
eepauloffice@alruomigroup.com - Password:
HpabZXh7
Extracted
snakekeylogger
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
kinghybrid@myexodus1.com - Password:
$ASmZLn8
Targets
-
-
Target
23-07-2021/????????-pdf.exe
-
Size
62.0MB
-
MD5
3663443134be0b9681843e69ecf12f15
-
SHA1
ebf0f0293d3445e959407ea3c76783deb5b783c3
-
SHA256
e32a832fe1773b971604323c5cd7b3165a3b44c4fb4b9bcd1fd408676bd0f6a2
-
SHA512
7a2fbc65fdb936553e3d29c79f889247049ce27f86e7314cf5e44ce58f8b722e585e112504c3c51edaa423167a1a7f3b58a96d1cdc69715d7f37f13b8a870685
Score3/10 -
-
-
Target
23-07-2021/New Order .exe
-
Size
1.1MB
-
MD5
7f87c2a83ffa8ef3be8071d5102c193c
-
SHA1
6ac3c7e3cb04f1efd30b67fb574bea674152fbd7
-
SHA256
e5a5ec86338937058c7c4da50968ebc910da33bf37f73243a42dff434f2634f9
-
SHA512
502504fcbf167cf8490dfa67197957f389d602669a81b2d9df368584efffb0dbaaf3ed67e71ec136f7dff05f49ad4dd0b1f5fd3be610b373221b7f9924ad311f
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
New order 11244332.pdf.exe
-
Size
480KB
-
MD5
db7c4d333bcd92011b410f97ef60924c
-
SHA1
7281874a20339ad2553f443ad1dc607f91c87462
-
SHA256
bad2fa4f30cf24cd6c0455105a2780cb1ffd3a0efd3714a99fc9eb6b2d295c72
-
SHA512
ea08642286f41eba4600e03fbf60b9d8a6479e713ef69a197d331fef0e5654f50965681d852d81669c6a437c3eb8fc3a472719fd62b0e0fa0f2cad64d6457f83
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Suspicious use of SetThreadContext
-
-
-
Target
23-07-2021/ORIGINAL DOCUMENTS.bat
-
Size
1011KB
-
MD5
151fc9fe041379d1ee06e28f68a44edc
-
SHA1
07b4bca851f1f9481abc2c736533aa1396595747
-
SHA256
9ef2c1ebeede51785ddb4f88b4b8ad0eeed5f369e1225dbdde6b9e6d1f8cb1f3
-
SHA512
c1b9cca24b1f0ef04a121a4086181a4f3d93ac701ad4c79850bb1055c7727a0ef179b6b77851028765ba5422e1f6a84810441a945129ec6b25cb217f69c307e0
Score10/10-
Snake Keylogger Payload
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
23-07-2021/PREVENTIVO RICHIESTO (2).exe
-
Size
236KB
-
MD5
72d9c62e4483519df1303fe0c46d16aa
-
SHA1
12093edc01bcf89eb7a9758d1392592fb273de35
-
SHA256
42c8ded976a7c9f295888220d4d2fc273535f1fa15e6e25cfceaf454188f7895
-
SHA512
cf6d6c1a6072c022ab4d19f098715cba02f8dcc74f01ce7ad735d5cdb5c7505aeb9c98fb9ff3faac7932ffbdb7cdf581c583fa846cc76b71dee3f2a71b7b30a0
Score10/10 -
-
-
Target
Payment copy.pdf.exe
-
Size
597KB
-
MD5
59ebd03380ec88b7543ce53775402ad4
-
SHA1
ffdcf1b54a27cfe803cdb97a9be8da8f4d451e88
-
SHA256
6bc597969852f50b5c80dcd7efaa0792d170999456c6f8bd0a5ce274ae4eb63b
-
SHA512
293e276d463fdcf37e193536929badb42cce238f76a2e2c375eaa92fd0eccc933b6efa3f2f102c9f076ff701a3940e1788e2a2a45930460153054a7806b82f92
Score10/10-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
23-07-2021/RICHIESTA DI OFFERTA.exe
-
Size
236KB
-
MD5
73bb5c4b690b8d6df88d6bc18fb3a553
-
SHA1
60adddd91b6038fc9d819cf6d647ce3be0b11d38
-
SHA256
a3feb5265e6d02710f04ff618e966e9da9ba8fc8dc5692d6f7633fe0a3037b66
-
SHA512
9c023dc66d9bcfb2f5bc0274001d92948ac058fc8765d2178907dfd8fb9885ede57acc3836d583ad97516dce1a97c50f081800b41a1f42ea938efb8b23e87567
Score10/10 -
-
-
Target
23-07-2021/SWIFT COPY.exe
-
Size
856KB
-
MD5
3a1ea135a9c0052092eedfcabe68aed8
-
SHA1
74a913e85badf5a2e4deb3d2432968c45b7f33a6
-
SHA256
47330ca2aa141e11e54335dbf0eea19ebb923d0b5c3670b20ee051678d87b68a
-
SHA512
8c1191829862bffd20627d60b4087d1fdc0cda858de48cca42123123f8e3a2f3778d6e45c1438b3289f768681f4c624fe85a46a58de7bf53996eeea0897f318a
Score10/10-
Snake Keylogger Payload
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
23-07-2021/Swift.bat
-
Size
881KB
-
MD5
aeb27feb1512dd535095f86595b6b942
-
SHA1
e922aea5d270b7843d300546a25793bea7b92088
-
SHA256
beb634a46843656d4251d26809f37ff2288cfa38d8fe5d48975cd9b546cb5d6b
-
SHA512
bc7d4f7b6594021a032ee65ca20fba094cf9b75ba3adf6d8ab2050e29cbe11c3864c6e45e425e2fd1e5167554d11a27680af4d193a2eb193e76bc1853b729245
Score10/10-
Snake Keylogger Payload
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
payment receipt.pdf.exe
-
Size
863KB
-
MD5
0353af1ae14e14bf804fb78a04ae8f42
-
SHA1
250aa0d3f7b16d7ff122f8ad16febb9213074676
-
SHA256
746073d0f2958ace46267fa4ed5badc249b7e3a55d76c2b230c0a8b457caf6a5
-
SHA512
e72a7a3924b024edf190dbecf6d1466635093b9e6e366b8d283d71c8720707f989507322fb1bea3011fb4384ab69e88dddc61f1544cf0799e3bac693bc56c133
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Suspicious use of SetThreadContext
-