Overview

overview

10

Static

static

8

BL. NO. AN...21.exe

windows7_x64

10

BL. NO. AN...21.exe

windows10_x64

10

Sample_101...mg.exe

windows7_x64

10

Sample_101...mg.exe

windows10_x64

10

Invoice 19...df.exe

windows7_x64

1

Invoice 19...df.exe

windows10_x64

10

Leak/PROFO...CE.doc

windows7_x64

10

Leak/PROFO...CE.doc

windows10_x64

1

Payment re...df.exe

windows7_x64

10

Payment re...df.exe

windows10_x64

10

Leak/Profo...mg.xls

windows7_x64

10

Leak/Profo...mg.xls

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Leak.zip

  • Size

    3.0MB

  • Sample

    211026-hsxsasghf9

  • MD5

    cd6305e8c52cd93979c3a93164861c86

  • SHA1

    955850b81692f2b5b83a5a7ecc2fc6f4b11618d4

  • SHA256

    6243afcc3184f4bf3f969dd7fed686e57e574d17417ec71351bc71d5adba673d

  • SHA512

    cb5790048002ae59ef51c9e9d99cb7eea63992a39c157f5cb748faafb28aa52388b50e863e18fa70b879c05afe899743523c3c1fa0cb8e189890551a03a0d1d4

Score
10/10
agentteslaformbooksnakekeyloggered9smo9ncollectionkeyloggermacromacro_on_actionratspywarestealertrojanxlm

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.topfrozenfoodbrand.com
  • Port:
    587
  • Username:
    webmaster@topfrozenfoodbrand.com
  • Password:
    Chukwudim28@

Extracted

Family

snakekeylogger

Credentials

  • Protocol:     smtp
  • Host:
    ilbgone.cyou
  • Port:
    587
  • Username:
    serviceinc@ilbgone.cyou
  • Password:
    H3c8T~{Vz%IH

Extracted

Family

formbook

Version

4.1

Campaign

ed9s

C2

http://www.vaughnmethod.com/ed9s/

Decoy

pocketoptioniraq.com

merabestsolutions.com

atelectronics.site

fuxueshi.net

infinitystay.com

forensicconcept.site

txpmachine.com

masterwhs.xyz

dia-gnwsis.art

fulltiltnodes.com

bigbnbbsc.com

formation-figma.com

bonanacroin.net

medicalmarijuanasatx.com

bagnavy.com

aaegiscares.net

presentationpublicschool.com

bestyousite.site

prescriptionn.com

beyondthenormbouquets.com

Extracted

Family

formbook

Version

4.1

Campaign

mo9n

C2

http://www.lievival.info/mo9n/

Decoy

circuit-town.com

stock-high.xyz

barlindelivery.com

littletoucans.com

bright-tailor.com

firsthandcares.com

ecompropeller.com

circuitoalberghiero.net

creative-egyptps.com

bitracks56.com

douhonghong.com

fingertipcollection.com

happy-bihada.space

blockchainairdropreward.com

xn--reljame-jwa.com

polloycarnesdelivery.com

d22.group

eslamshahrservice.com

vanzing.com

juzide.com

Extracted

Language
ps1
Source
URLs
exe.dropper

http://18.159.149.5/nbl/joy/11/Sample_10120351200_ISO_035117img.exe

Targets

    • Target

      BL. NO. ANSMUNDAR3621.exe

    • Size

      705KB

    • MD5

      5e4930b37a31c65525ec4e308a67fb7e

    • SHA1

      c598d2e034dd4d1e1266b8d0f047cfd629b56ab9

    • SHA256

      a96249e0df2c88e2e047ad332ba7d2755dd6f390d39afc67de05ddfa8726e53f

    • SHA512

      86600dfb132d057a6f7fe4d644b8c3577ef83ed95e2986d4c2d3475c6af92db1eb7bb3ef6288b29b441e30443057c296838bb49e1980e0ed7dfafdff7a6968e4

    Score
    10/10
    agentteslacollectionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      Sample_10120351200_ISO_035117img.exe

    • Size

      833KB

    • MD5

      0d20e6334179eeadad75c218d0d9dca2

    • SHA1

      ab19c8e05121be1bfed70591477610cd12e066ab

    • SHA256

      8b94440478e3c9fd0991d121ef5ab7144425da4b074a65d93fd9111a515c0b8e

    • SHA512

      3f5672aafefbaf9156a0cda170360eb5fa43e1907e7966c041c2f870a2af0494bc9315c57fb85840ce3e7b4c02c7bfe5b85c023d8759c26da5605a0762d800fd

    Score
    10/10
    snakekeyloggercollectionkeyloggerstealer

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Executes dropped EXE

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

    • Target

      Invoice 1905-20-1907-20.pdf.exe

    • Size

      742KB

    • MD5

      d40d05b8b73fb36ca9ae679997decbf7

    • SHA1

      1099139b29753b0308fd3729a1b0a894fb98b94e

    • SHA256

      9509214ef8fd1704c88aebdd75cf26345735cf6901af44de6038dce4e4d46f34

    • SHA512

      6c6388214929c2d094584c8ddfe5b116ff6c250e2c32f161d5328a258191e115fca6a10275e7e366a7ab976116e2b2406dbc699c4a5287aac39ee127657d900b

    Score
    10/10
    agentteslakeyloggerspywarestealertrojan
    behavioral5behavioral6

    • Target

      Leak/PROFORMA INVOICE.doc

    • Size

      236KB

    • MD5

      4894c7f281ca84866cdafa19c52c734d

    • SHA1

      23dfaf317b8a82107ef2f2906d37a0aa8b85d828

    • SHA256

      14cfd6340c189704a9d65b0d3c9aa8472119d30987296c1d04bc225ea0f9891d

    • SHA512

      fb44d35335238450f90263a8c2c9264fc0d22e76c3eef4517eb27b6408f9686edad968461ce73ad4ca9fe93e68644dcebc7883944594e6faf62bdbb6a3a70ef7

    Score
    10/10
    formbooked9sratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook Payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral7behavioral8

    • Target

      Payment receipt.pdf.exe

    • Size

      707KB

    • MD5

      d4be4730ee0e801938ae40b02b5ec346

    • SHA1

      5a36a50fe19f08f5c34db24127b43bdceb85bb42

    • SHA256

      0e6c644f1252507e018b0fbe6b83902adcd2278a083fe1902092f627babf3711

    • SHA512

      d4e4a31f6be9df302010ef550191ab5c4f37aaa277e61b88600253ebd8cb7f3a670b13dfd459dc75f88946f78bc2403ca6739d042a6909411bd20dcfda149a29

    Score
    10/10
    formbookmo9nratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook Payload

      rat

    • Deletes itself

    • Suspicious use of SetThreadContext

    behavioral9behavioral10

    • Target

      Leak/Proforma invoice35117img.xls

    • Size

      118KB

    • MD5

      9a5a1a96ece8355f2058a27b2ba2770e

    • SHA1

      e12d878494854545cb39c316cc98db3c9577bf25

    • SHA256

      c7f619995bc97f5c8b8b24e9d55cf36d2eb0af87ba5eb389cb36ec7b0c669b76

    • SHA512

      1503cdd8083531b098a7ae8c31af63658763bc9147fe80571bbeb34249d1264a963104aaa512fec0efe3c2659eb6b1219cb2b64522cf0843c8b7284e0394edd8

    Score
    10/10
    collection

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral11behavioral12

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

2
T1064

Scheduled Task

2
T1053

Exploitation for Client Execution

1
T1203

Persistence

Scheduled Task

2
T1053

Privilege Escalation

Scheduled Task

2
T1053

Defense Evasion

Scripting

2
T1064

Modify Registry

2
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

System Information Discovery

6
T1082

Query Registry

4
T1012

Lateral Movement

Collection

Data from Local System

2
T1005

Email Collection

3
T1114

Exfiltration

Command and Control

Impact

Tasks