Overview

overview

10

Static

static

23-07-2021...df.exe

windows7_x64

3

23-07-2021...df.exe

windows10_x64

3

23-07-2021...r .exe

windows7_x64

10

23-07-2021...r .exe

windows10_x64

10

New order ...df.exe

windows7_x64

10

New order ...df.exe

windows10_x64

10

23-07-2021...at.exe

windows7_x64

10

23-07-2021...at.exe

windows10_x64

10

23-07-2021...2).exe

windows7_x64

10

23-07-2021...2).exe

windows10_x64

10

Payment copy.pdf.exe

windows7_x64

1

Payment copy.pdf.exe

windows10_x64

10

23-07-2021...TA.exe

windows7_x64

10

23-07-2021...TA.exe

windows10_x64

10

23-07-2021...PY.exe

windows7_x64

10

23-07-2021...PY.exe

windows10_x64

10

23-07-2021...at.exe

windows7_x64

10

23-07-2021...at.exe

windows10_x64

10

payment re...df.exe

windows7_x64

10

payment re...df.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    23-07-2021.zip

  • Size

    5.0MB

  • Sample

    210725-aavyyb3kkj

  • MD5

    8fb2af5b5c47aa834f59f0465d51c67d

  • SHA1

    c3d6afe050bb344386c81f5546c7329ae9984763

  • SHA256

    2f13f6e9fee8ddc78cf064f255b4885dbf51f69b029648e21a2f24973467fc19

  • SHA512

    8ccde01c889fcd0f2f2c0458eeda63ad3b60ae189a12922f3120aec0596734c1ffd1ee86a9115f678ce0bd0207521e7cdf18cf34ec597b02e171dfb0e131ec5b

Score
10/10
agentteslaguloadersnakekeyloggerdownloaderkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.alruomigroup.com
  • Port:
    587
  • Username:
    eepauloffice@alruomigroup.com
  • Password:
    HpabZXh7

Extracted

Family

snakekeylogger

Credentials

  • Protocol:     smtp
  • Host:
    us2.smtp.mailhostbox.com
  • Port:
    587
  • Username:
    kinghybrid@myexodus1.com
  • Password:
    $ASmZLn8

Targets

    • Target

      23-07-2021/????????-pdf.exe

    • Size

      62.0MB

    • MD5

      3663443134be0b9681843e69ecf12f15

    • SHA1

      ebf0f0293d3445e959407ea3c76783deb5b783c3

    • SHA256

      e32a832fe1773b971604323c5cd7b3165a3b44c4fb4b9bcd1fd408676bd0f6a2

    • SHA512

      7a2fbc65fdb936553e3d29c79f889247049ce27f86e7314cf5e44ce58f8b722e585e112504c3c51edaa423167a1a7f3b58a96d1cdc69715d7f37f13b8a870685

    Score
    3/10
    behavioral1behavioral2

    • Target

      23-07-2021/New Order .exe

    • Size

      1.1MB

    • MD5

      7f87c2a83ffa8ef3be8071d5102c193c

    • SHA1

      6ac3c7e3cb04f1efd30b67fb574bea674152fbd7

    • SHA256

      e5a5ec86338937058c7c4da50968ebc910da33bf37f73243a42dff434f2634f9

    • SHA512

      502504fcbf167cf8490dfa67197957f389d602669a81b2d9df368584efffb0dbaaf3ed67e71ec136f7dff05f49ad4dd0b1f5fd3be610b373221b7f9924ad311f

    Score
    10/10
    agentteslakeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

    • Target

      New order 11244332.pdf.exe

    • Size

      480KB

    • MD5

      db7c4d333bcd92011b410f97ef60924c

    • SHA1

      7281874a20339ad2553f443ad1dc607f91c87462

    • SHA256

      bad2fa4f30cf24cd6c0455105a2780cb1ffd3a0efd3714a99fc9eb6b2d295c72

    • SHA512

      ea08642286f41eba4600e03fbf60b9d8a6479e713ef69a197d331fef0e5654f50965681d852d81669c6a437c3eb8fc3a472719fd62b0e0fa0f2cad64d6457f83

    Score
    10/10
    agentteslakeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral5behavioral6

    • Target

      23-07-2021/ORIGINAL DOCUMENTS.bat

    • Size

      1011KB

    • MD5

      151fc9fe041379d1ee06e28f68a44edc

    • SHA1

      07b4bca851f1f9481abc2c736533aa1396595747

    • SHA256

      9ef2c1ebeede51785ddb4f88b4b8ad0eeed5f369e1225dbdde6b9e6d1f8cb1f3

    • SHA512

      c1b9cca24b1f0ef04a121a4086181a4f3d93ac701ad4c79850bb1055c7727a0ef179b6b77851028765ba5422e1f6a84810441a945129ec6b25cb217f69c307e0

    Score
    10/10
    snakekeyloggerkeyloggerspywarestealer

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Snake Keylogger Payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral7behavioral8

    • Target

      23-07-2021/PREVENTIVO RICHIESTO (2).exe

    • Size

      236KB

    • MD5

      72d9c62e4483519df1303fe0c46d16aa

    • SHA1

      12093edc01bcf89eb7a9758d1392592fb273de35

    • SHA256

      42c8ded976a7c9f295888220d4d2fc273535f1fa15e6e25cfceaf454188f7895

    • SHA512

      cf6d6c1a6072c022ab4d19f098715cba02f8dcc74f01ce7ad735d5cdb5c7505aeb9c98fb9ff3faac7932ffbdb7cdf581c583fa846cc76b71dee3f2a71b7b30a0

    Score
    10/10
    guloaderdownloader
    behavioral9behavioral10

    • Target

      Payment copy.pdf.exe

    • Size

      597KB

    • MD5

      59ebd03380ec88b7543ce53775402ad4

    • SHA1

      ffdcf1b54a27cfe803cdb97a9be8da8f4d451e88

    • SHA256

      6bc597969852f50b5c80dcd7efaa0792d170999456c6f8bd0a5ce274ae4eb63b

    • SHA512

      293e276d463fdcf37e193536929badb42cce238f76a2e2c375eaa92fd0eccc933b6efa3f2f102c9f076ff701a3940e1788e2a2a45930460153054a7806b82f92

    Score
    10/10
    snakekeyloggerkeyloggerspywarestealer

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral11behavioral12

    • Target

      23-07-2021/RICHIESTA DI OFFERTA.exe

    • Size

      236KB

    • MD5

      73bb5c4b690b8d6df88d6bc18fb3a553

    • SHA1

      60adddd91b6038fc9d819cf6d647ce3be0b11d38

    • SHA256

      a3feb5265e6d02710f04ff618e966e9da9ba8fc8dc5692d6f7633fe0a3037b66

    • SHA512

      9c023dc66d9bcfb2f5bc0274001d92948ac058fc8765d2178907dfd8fb9885ede57acc3836d583ad97516dce1a97c50f081800b41a1f42ea938efb8b23e87567

    Score
    10/10
    guloaderdownloader
    behavioral13behavioral14

    • Target

      23-07-2021/SWIFT COPY.exe

    • Size

      856KB

    • MD5

      3a1ea135a9c0052092eedfcabe68aed8

    • SHA1

      74a913e85badf5a2e4deb3d2432968c45b7f33a6

    • SHA256

      47330ca2aa141e11e54335dbf0eea19ebb923d0b5c3670b20ee051678d87b68a

    • SHA512

      8c1191829862bffd20627d60b4087d1fdc0cda858de48cca42123123f8e3a2f3778d6e45c1438b3289f768681f4c624fe85a46a58de7bf53996eeea0897f318a

    Score
    10/10
    snakekeyloggerkeyloggerspywarestealer

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Snake Keylogger Payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral15behavioral16

    • Target

      23-07-2021/Swift.bat

    • Size

      881KB

    • MD5

      aeb27feb1512dd535095f86595b6b942

    • SHA1

      e922aea5d270b7843d300546a25793bea7b92088

    • SHA256

      beb634a46843656d4251d26809f37ff2288cfa38d8fe5d48975cd9b546cb5d6b

    • SHA512

      bc7d4f7b6594021a032ee65ca20fba094cf9b75ba3adf6d8ab2050e29cbe11c3864c6e45e425e2fd1e5167554d11a27680af4d193a2eb193e76bc1853b729245

    Score
    10/10
    snakekeyloggerkeyloggerspywarestealer

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Snake Keylogger Payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral17behavioral18

    • Target

      payment receipt.pdf.exe

    • Size

      863KB

    • MD5

      0353af1ae14e14bf804fb78a04ae8f42

    • SHA1

      250aa0d3f7b16d7ff122f8ad16febb9213074676

    • SHA256

      746073d0f2958ace46267fa4ed5badc249b7e3a55d76c2b230c0a8b457caf6a5

    • SHA512

      e72a7a3924b024edf190dbecf6d1466635093b9e6e366b8d283d71c8720707f989507322fb1bea3011fb4384ab69e88dddc61f1544cf0799e3bac693bc56c133

    Score
    10/10
    agentteslakeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral19behavioral20

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

2
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

2
T1053

Privilege Escalation

Scheduled Task

2
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

21
T1081

Discovery

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

21
T1005

Exfiltration

Command and Control

Impact

Tasks

static1

Score
N/A

behavioral1

Score
3/10

behavioral2

Score
3/10

behavioral3

agentteslakeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral4

agentteslakeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral5

agentteslakeyloggerspywarestealertrojan
Score
10/10

behavioral6

agentteslakeyloggerspywarestealertrojan
Score
10/10

behavioral7

snakekeyloggerkeyloggerspywarestealer
Score
10/10

behavioral8

snakekeyloggerkeyloggerspywarestealer
Score
10/10

behavioral9

guloaderdownloader
Score
10/10

behavioral10

guloaderdownloader
Score
10/10

behavioral11

Score
1/10

behavioral12

snakekeyloggerkeyloggerspywarestealer
Score
10/10

behavioral13

guloaderdownloader
Score
10/10

behavioral14

guloaderdownloader
Score
10/10

behavioral15

snakekeyloggerkeyloggerspywarestealer
Score
10/10

behavioral16

snakekeyloggerkeyloggerspywarestealer
Score
10/10

behavioral17

snakekeyloggerkeyloggerspywarestealer
Score
10/10

behavioral18

snakekeyloggerkeyloggerspywarestealer
Score
10/10

behavioral19

agentteslakeyloggerspywarestealertrojan
Score
10/10

behavioral20

agentteslakeyloggerspywarestealertrojan
Score
10/10