Overview
overview
10Static
static
827-07-2021...de.pdf
windows7_x64
127-07-2021...de.pdf
windows10_x64
127-07-2021...58.doc
windows7_x64
1027-07-2021...58.doc
windows10_x64
1027-07-2021...58.exe
windows7_x64
1027-07-2021...58.exe
windows10_x64
1027-07-2021...1.docx
windows7_x64
427-07-2021...1.docx
windows10_x64
127-07-2021...1.docx
windows7_x64
427-07-2021...1.docx
windows10_x64
127-07-2021...80.exe
windows7_x64
1027-07-2021...80.exe
windows10_x64
1027-07-2021...PO.exe
windows7_x64
1027-07-2021...PO.exe
windows10_x64
1027-07-2021...ST.exe
windows7_x64
1027-07-2021...ST.exe
windows10_x64
1027-07-2021...ON.exe
windows7_x64
1027-07-2021...ON.exe
windows10_x64
1027-07-2021...21.pdf
windows7_x64
127-07-2021...21.pdf
windows10_x64
127-07-2021...PY.exe
windows7_x64
1027-07-2021...PY.exe
windows10_x64
1027-07-2021...AT.exe
windows7_x64
1027-07-2021...AT.exe
windows10_x64
1027-07-2021...ry.exe
windows7_x64
27-07-2021...ry.exe
windows10_x64
10General
-
Target
27-07-2021.7z
-
Size
4.3MB
-
Sample
210727-rl9s8e8rt2
-
MD5
40bd404957785859d7dc75f986b0e9b5
-
SHA1
c23abb937f8f509d8e80d366ec2580206a590c64
-
SHA256
a544b4050677d9e5ad964398954cf7d74c96b65a1126a8bb3491fbe52ff0ec10
-
SHA512
fd553802e9a27dd8e07b18af8d4d3511fe9e41dae54d01c8211a57742c3308e133735a289f9242688df8fc27fbf8ccd1cfbe33e36469f1c651972cd95e9ac50b
Static task
static1
Behavioral task
behavioral1
Sample
27-07-2021/27-07-2021/Dike-Infocert-Upgrade.pdf
Resource
win7v20210408
Behavioral task
behavioral2
Sample
27-07-2021/27-07-2021/Dike-Infocert-Upgrade.pdf
Resource
win10v20210410
Behavioral task
behavioral3
Sample
27-07-2021/27-07-2021/ETL_013265_601_0758.doc
Resource
win7v20210408
Behavioral task
behavioral4
Sample
27-07-2021/27-07-2021/ETL_013265_601_0758.doc
Resource
win10v20210410
Behavioral task
behavioral5
Sample
27-07-2021/27-07-2021/ETL_013265_601_0758.exe
Resource
win7v20210408
Behavioral task
behavioral6
Sample
27-07-2021/27-07-2021/ETL_013265_601_0758.exe
Resource
win10v20210410
Behavioral task
behavioral7
Sample
27-07-2021/27-07-2021/FL_6110_32_75_21.docx
Resource
win7v20210410
Behavioral task
behavioral8
Sample
27-07-2021/27-07-2021/FL_6110_32_75_21.docx
Resource
win10v20210408
Behavioral task
behavioral9
Sample
27-07-2021/27-07-2021/IMG_1026001780541.docx
Resource
win7v20210410
Behavioral task
behavioral10
Sample
27-07-2021/27-07-2021/IMG_1026001780541.docx
Resource
win10v20210408
Behavioral task
behavioral11
Sample
27-07-2021/27-07-2021/Inv_7623980.exe
Resource
win7v20210410
Behavioral task
behavioral12
Sample
27-07-2021/27-07-2021/Inv_7623980.exe
Resource
win10v20210408
Behavioral task
behavioral13
Sample
27-07-2021/27-07-2021/New PO.exe
Resource
win7v20210410
Behavioral task
behavioral14
Sample
27-07-2021/27-07-2021/New PO.exe
Resource
win10v20210410
Behavioral task
behavioral15
Sample
27-07-2021/27-07-2021/ORDER LIST.exe
Resource
win7v20210408
Behavioral task
behavioral16
Sample
27-07-2021/27-07-2021/ORDER LIST.exe
Resource
win10v20210410
Behavioral task
behavioral17
Sample
27-07-2021/27-07-2021/REQUEST FOR QUOTATION.exe
Resource
win7v20210408
Behavioral task
behavioral18
Sample
27-07-2021/27-07-2021/REQUEST FOR QUOTATION.exe
Resource
win10v20210410
Behavioral task
behavioral19
Sample
27-07-2021/27-07-2021/Remittance Copy 22-07-21.pdf
Resource
win7v20210408
Behavioral task
behavioral20
Sample
27-07-2021/27-07-2021/Remittance Copy 22-07-21.pdf
Resource
win10v20210410
Behavioral task
behavioral21
Sample
27-07-2021/27-07-2021/SWIFT COPY.exe
Resource
win7v20210410
Behavioral task
behavioral22
Sample
27-07-2021/27-07-2021/SWIFT COPY.exe
Resource
win10v20210408
Behavioral task
behavioral23
Sample
27-07-2021/27-07-2021/WE09858577444.BAT.exe
Resource
win7v20210410
Behavioral task
behavioral24
Sample
27-07-2021/27-07-2021/WE09858577444.BAT.exe
Resource
win10v20210408
Behavioral task
behavioral25
Sample
27-07-2021/27-07-2021/inquiry.exe
Resource
win7v20210410
Malware Config
Extracted
http://lifestyledrinks.hu/wp-includes/cs3/ETL_013265_601_0758.exe
Extracted
snakekeylogger
Protocol: smtp- Host:
netjul.xyz - Port:
587 - Username:
shotels5@netjul.xyz - Password:
ZG-6{&tj}+P&
Extracted
xloader
2.3
http://www.inverservi.com/m6b5/
http://www.innovisionuk.co.uk/eds5/
ixtarbelize.com
pheamal.com
daiyncc.com
staydoubted.com
laagerlitigation.club
sukrantastansakarya.com
esupport.ltd
vetscontracting.net
themuslimlife.coach
salmanairs.com
somatictherapyservices.com
lastminuteminister.com
comunicarbuenosaires.com
kazuya.tech
insightlyservicedev.com
redevelopment38subhashnagar.com
thefutureinvestor.com
simplysu.com
lagu45.com
livingstonpistolpermit.com
youngedbg.club
askmeboost.com
hizmetbasvuru-girisi.com
fourteenfoodsdq.net
discoglosse.com
shareusall.com
armseducationassociates.com
twilio123.com
hofmann.red
autoanyway.com
duckvlog.com
raceleagues.com
foleyautomotivehydraulics.com
foreverbefaithfultoyou.com
junrui-tech.com
angelinateofilovic.com
justinandsarahgetmarried.com
carlsmithcarlsmith.com
novopeugeot208.com
citestftcwaut17.com
theproductivitygroup.com
cohen-asset.com
trumpismysugardaddy.com
wishcida.com
buncheese.com
dietrichcompanies.com
zafav.xyz
commodore-gravel.com
juport.men
hyanggips.com
aliyunwangpan.com
nuturessoap.com
networksloss.club
blackcouplesofhtown.com
saadiawhite.net
girasmboize.com
melissabelmontefotografias.com
landprorentals.com
bonacrypto.com
meeuba.com
lknstump.com
iregentos.info
linguisticpartner.com
mpsaklera.com
Extracted
agenttesla
Protocol: smtp- Host:
smtp.alruomigroup.com - Port:
587 - Username:
chimaobi@alruomigroup.com - Password:
LtURz%y7
Extracted
lokibot
https://pakilogs2020.xyz/t/e/yaya.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
27-07-2021/27-07-2021/Dike-Infocert-Upgrade.pdf
-
Size
166KB
-
MD5
79d72109de10fb216e198acc18fa2a9b
-
SHA1
5a6379f5049fc32a789b9ee352e4aeb81aa02e85
-
SHA256
997faf26c74e06deed8c11b029e87c5eb1e577b31f1be8646bb583be4d9bf131
-
SHA512
616057afa72f5c2e014e5a9e75b10dd6941968a5ee9430beac84214205953362242a3dd47cd6b8d5586e002c5475edbe01b820545b252406d3e1bfc0242c5417
Score1/10 -
-
-
Target
27-07-2021/27-07-2021/ETL_013265_601_0758.doc
-
Size
114KB
-
MD5
a35d5eec842a0785f5b461da949b00cb
-
SHA1
fec56ecc489b226da672ecd31428a568b3e9dd2b
-
SHA256
1f2a609fdb89b7fda367578568a00f9739105c8a01202fd7c8784515be4bdd35
-
SHA512
fe60851ff0f43f0f55aac199dbe53a4de8a28e34732a4d83cca2d9f9820141f5dfbbfd7e5973e4c4226a16e1f4962395c9a97015dabe86a817f6970c2777ff82
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
-
-
Target
27-07-2021/27-07-2021/ETL_013265_601_0758.exe
-
Size
337KB
-
MD5
863073f13eba19c52ef95da414aa6d6e
-
SHA1
195ac3ae5de2823931a3a6d9f3d455d9b107cbe2
-
SHA256
977a7f6f9d32df5d74f58a8fefabda186f1b467a9ff25551ab2667e620c8d136
-
SHA512
60083a00b32fffed577944d94596e92e009ed882a10a54de83f7436a1118777582703fbdcf6677896c3e0840ce4deb9d857963df0122f112eaa783a61d2d6102
Score10/10-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
27-07-2021/27-07-2021/FL_6110_32_75_21.docx
-
Size
23KB
-
MD5
182a5a29ec72c7c85f8e591f3018f84c
-
SHA1
bb1a1880958dfc7bd6b158244f8c70f9e4519c89
-
SHA256
d8b0149aca86d6e42663afdca70f90c3cbe9c9ab92a2f3dce4c511023da16b58
-
SHA512
ef01108b087508448ec47c6de75fedfe3db5504ce6b920a613b5665a56d981eb6eabb88a40e61203a11cf29965a1eb8468025a1e91b07876217ae882d6da7e0c
Score4/10 -
-
-
Target
27-07-2021/27-07-2021/IMG_1026001780541.docx
-
Size
18KB
-
MD5
7dfffb928a11a1609d6e211a4a185291
-
SHA1
20fd0c988d8507b2590cb3959d1d1a8c0d91b33f
-
SHA256
bfb18865baa2b888ffdb2ac40383f02e15eb1fc3f0af58a3af6910cf3bbf6be5
-
SHA512
0e455e70dc07a7a2521417d5a2f2fa047fbcef3a0260a17ed66f505d61e9a4eeb3e4e2ffeedf1e53a2fed65def123cb6ae5affb5a3e5329fc6b29247ac41c3fa
Score4/10 -
-
-
Target
27-07-2021/27-07-2021/Inv_7623980.exe
-
Size
957KB
-
MD5
ac0aafad021d642a83f0e0e00f925160
-
SHA1
9a225f4936ef458a3371e7681f942b7733d8eb25
-
SHA256
81cbdffd1b44ca983180456d058b8eaadf51adbd19600dbbde68be7a4ef09a54
-
SHA512
07683f8a9d789cc6e29a3ece064df8d9ba8e3d083a13c76cfeb669b75ecbfc0108669c3438a67fb9034a5fb98864680b6298d0c5506046f4d3581b08cb1d1504
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload
-
Deletes itself
-
Suspicious use of SetThreadContext
-
-
-
Target
27-07-2021/27-07-2021/New PO.exe
-
Size
922KB
-
MD5
5b65abb4776d7bae7624c3085a5a227a
-
SHA1
7eedb005b4e3a79aa4482f8fe04c16ee4490bfb6
-
SHA256
4f28687d01e29f37854b840c3f5f0fe2cd506c87d4f7b036bdddcd147dc2cbc3
-
SHA512
0950b2d6597edc91ca41f54c368dc2cef78827a5be23d056a90d2459639763929365cf926ff219a4884925e3ae79b360f55c98b8f909c34236890ac26f60fba6
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
27-07-2021/27-07-2021/ORDER LIST.exe
-
Size
1.0MB
-
MD5
acb2c77ec09e0f489a46d0444fd13722
-
SHA1
e1c634d2c126badf2653321cb8bf00a8fb0ac758
-
SHA256
4d5b7a00ca51272e234b450d592eaa7fead764c48374683aedc1ecb92959ac58
-
SHA512
305235b692ab46567e93fa43b05f84a1d01a17522deac2860219e2eb7857b99581c03ec0c6e4a784c2c3b92eba7b6700900ec5e08797d031d2f95381c9669c31
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
27-07-2021/27-07-2021/REQUEST FOR QUOTATION.exe
-
Size
971KB
-
MD5
e2995661e50a0417ea38b5b913c2c3e2
-
SHA1
98bb91436bb06e8fd972bf16cfd80b00c9f17fbf
-
SHA256
1c9886a480ebd5e6c337b744f50c83a7ec80960b4dfd1b879be4ea32c9851674
-
SHA512
b0c83d2858640b7fbb6906a299e8fa51a9ad78c48121d7edbab306771747aa52e3af95cd2521911f1d16f9cfba630f30625c05fb710f7f6eee77ffd6971817db
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
27-07-2021/27-07-2021/Remittance Copy 22-07-21.pdf
-
Size
22KB
-
MD5
aeafd0bee485a843ee4210ed01358720
-
SHA1
882368e6f101ad0f25264d6e437cb79c3d736ede
-
SHA256
e1665fd25b191c4151e161d52a2b8900d0786e06d684188f457041551bb5581d
-
SHA512
9d50892b4780f4bcebb556181391bc0fffdbe12b4325331f9d9f22c693012ce821d071573a74f9ea0bc708c154b9465f316168c7ef2c3ecd86b6be39bc95f915
Score1/10 -
-
-
Target
27-07-2021/27-07-2021/SWIFT COPY.exe
-
Size
856KB
-
MD5
3a1ea135a9c0052092eedfcabe68aed8
-
SHA1
74a913e85badf5a2e4deb3d2432968c45b7f33a6
-
SHA256
47330ca2aa141e11e54335dbf0eea19ebb923d0b5c3670b20ee051678d87b68a
-
SHA512
8c1191829862bffd20627d60b4087d1fdc0cda858de48cca42123123f8e3a2f3778d6e45c1438b3289f768681f4c624fe85a46a58de7bf53996eeea0897f318a
Score10/10-
Snake Keylogger Payload
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
27-07-2021/27-07-2021/WE09858577444.BAT
-
Size
714KB
-
MD5
bc8b50b6a11269ee38311b3fa4df309f
-
SHA1
47b34c1e6c0be4009aa751eb3b9cf8f1e2fa31a7
-
SHA256
b1ec17858b3f2267763c44d569c272eafbae5ac893575a8a0db0cd066a42baf8
-
SHA512
d544330b4d45479ce5e0de455cf1416e0b19fbe811d8b6621a0d9dd0a3851372ac03d88d0c9f2fded7afce79ada6adca0687b8b3cfd62e5a8cf218c7baa36a3b
-
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Suspicious use of SetThreadContext
-
-
-
Target
27-07-2021/27-07-2021/inquiry.exe
-
Size
633KB
-
MD5
2241793c4af10d980c06107b8b55c2f2
-
SHA1
7e2aa1cdb794b9e81170be270ce9ecc5f2c19187
-
SHA256
794e8844531d9ea6f37755360d429ed93827c79e77c7b5bf76ad08b4108549dd
-
SHA512
6ffebecf90b5455e5fefcd3488c1914ee104fa360a1f434e4f1d5a565be3483a122e34e9b572149e393212e36b5c18b0d7d1e8e5c0c6257c63611e697eb2b73d
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload
-
Suspicious use of SetThreadContext
-