Overview
overview
10Static
static
8BL. NO. AN...21.exe
windows7_x64
10BL. NO. AN...21.exe
windows10_x64
10Sample_101...mg.exe
windows7_x64
10Sample_101...mg.exe
windows10_x64
10Invoice 19...df.exe
windows7_x64
1Invoice 19...df.exe
windows10_x64
10Leak/PROFO...CE.doc
windows7_x64
10Leak/PROFO...CE.doc
windows10_x64
1Payment re...df.exe
windows7_x64
10Payment re...df.exe
windows10_x64
10Leak/Profo...mg.xls
windows7_x64
10Leak/Profo...mg.xls
windows10_x64
10General
-
Target
Leak.zip
-
Size
3.0MB
-
Sample
211026-hsxsasghf9
-
MD5
cd6305e8c52cd93979c3a93164861c86
-
SHA1
955850b81692f2b5b83a5a7ecc2fc6f4b11618d4
-
SHA256
6243afcc3184f4bf3f969dd7fed686e57e574d17417ec71351bc71d5adba673d
-
SHA512
cb5790048002ae59ef51c9e9d99cb7eea63992a39c157f5cb748faafb28aa52388b50e863e18fa70b879c05afe899743523c3c1fa0cb8e189890551a03a0d1d4
Static task
static1
Behavioral task
behavioral1
Sample
BL. NO. ANSMUNDAR3621.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
BL. NO. ANSMUNDAR3621.exe
Resource
win10-en-20210920
Behavioral task
behavioral3
Sample
Sample_10120351200_ISO_035117img.exe
Resource
win7-en-20210920
Behavioral task
behavioral4
Sample
Sample_10120351200_ISO_035117img.exe
Resource
win10-en-20211014
Behavioral task
behavioral5
Sample
Invoice 1905-20-1907-20.pdf.exe
Resource
win7-en-20210920
Behavioral task
behavioral6
Sample
Invoice 1905-20-1907-20.pdf.exe
Resource
win10-en-20211014
Behavioral task
behavioral7
Sample
Leak/PROFORMA INVOICE.doc
Resource
win7-en-20210920
Behavioral task
behavioral8
Sample
Leak/PROFORMA INVOICE.doc
Resource
win10-en-20211014
Behavioral task
behavioral9
Sample
Payment receipt.pdf.exe
Resource
win7-en-20210920
Behavioral task
behavioral10
Sample
Payment receipt.pdf.exe
Resource
win10-en-20210920
Behavioral task
behavioral11
Sample
Leak/Proforma invoice35117img.xls
Resource
win7-en-20211014
Behavioral task
behavioral12
Sample
Leak/Proforma invoice35117img.xls
Resource
win10-en-20210920
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.topfrozenfoodbrand.com - Port:
587 - Username:
webmaster@topfrozenfoodbrand.com - Password:
Chukwudim28@
Extracted
snakekeylogger
Protocol: smtp- Host:
ilbgone.cyou - Port:
587 - Username:
serviceinc@ilbgone.cyou - Password:
H3c8T~{Vz%IH
Extracted
formbook
4.1
ed9s
http://www.vaughnmethod.com/ed9s/
pocketoptioniraq.com
merabestsolutions.com
atelectronics.site
fuxueshi.net
infinitystay.com
forensicconcept.site
txpmachine.com
masterwhs.xyz
dia-gnwsis.art
fulltiltnodes.com
bigbnbbsc.com
formation-figma.com
bonanacroin.net
medicalmarijuanasatx.com
bagnavy.com
aaegiscares.net
presentationpublicschool.com
bestyousite.site
prescriptionn.com
beyondthenormbouquets.com
sinclairsparkes.com
yesterdayglass.com
lj-safe-keepinganwgt76.xyz
winlegends.com
perthvideoproduction.com
sgh.technology
athletik.biz
cardealergame.com
ugkhmel.xyz
4346emerald.com
soulconstructionservices.com
dalmac-nj.com
marylink.net
gentciu.com
insidecity.company
wensum-creations.com
frontwonline.com
8xovz.xyz
pickaxecoffee.com
stonezhang.top
markmra1995.site
valleysettlewash.top
canadabulkmushrooms.com
shiningoutdoors.com
elysiarv.xyz
artoidmode.com
whileloading.com
crgcatherine.com
usa111.com
tourmalinesepiapirole.info
infodf.xyz
girldollg.xyz
paypal-caseid581.com
bymetronet.com
outranky.com
bankinsurance.site
iscinterconnectsolutions.com
networth.fyi
fastplaycdn.xyz
fernradio.com
sergeantrandom.net
islamic-coins.com
naplesgolfcartbatteries2u.com
seniormedicarebenefits.net
Extracted
formbook
4.1
mo9n
http://www.lievival.info/mo9n/
circuit-town.com
stock-high.xyz
barlindelivery.com
littletoucans.com
bright-tailor.com
firsthandcares.com
ecompropeller.com
circuitoalberghiero.net
creative-egyptps.com
bitracks56.com
douhonghong.com
fingertipcollection.com
happy-bihada.space
blockchainairdropreward.com
xn--reljame-jwa.com
polloycarnesdelivery.com
d22.group
eslamshahrservice.com
vanzing.com
juzide.com
g5795ky.com
ufound1.com
cifbit.com
shawtopia.com
tourmethere.com
heritagepedia.com
832391.com
voltera.solar
greatergods.com
shchengtang.com
oyakudachibiz.com
kentislandeats.com
quietaou.com
infinitephoenix.club
tmrtg.com
menes.digital
sefappliancerepair.com
tnghana.com
tanyan.xyz
findyourtrailhead.com
labizandbryan.com
agnesdesigner.net
lebai100.com
lz-fcaini1718-hw0917-bs.xyz
nucleustudio.com
smartsparklegal.com
streets4suites.com
neo-graphite.com
maquinariaarenastlaxmexcom.com
svartmancoaching.com
icarus-groupe.com
media777.club
juicyyjuicebox.com
sakinawlake.properties
escrubpro.com
onlinecasino-tengoku.com
ganymede.sbs
sunshineprofitness.com
solideo.place
septemberstockevent100.com
tjginde.com
shopamwplanner.com
ee7r.com
sootherelaxandheal.com
Extracted
http://18.159.149.5/nbl/joy/11/Sample_10120351200_ISO_035117img.exe
Targets
-
-
Target
BL. NO. ANSMUNDAR3621.exe
-
Size
705KB
-
MD5
5e4930b37a31c65525ec4e308a67fb7e
-
SHA1
c598d2e034dd4d1e1266b8d0f047cfd629b56ab9
-
SHA256
a96249e0df2c88e2e047ad332ba7d2755dd6f390d39afc67de05ddfa8726e53f
-
SHA512
86600dfb132d057a6f7fe4d644b8c3577ef83ed95e2986d4c2d3475c6af92db1eb7bb3ef6288b29b441e30443057c296838bb49e1980e0ed7dfafdff7a6968e4
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-
-
-
Target
Sample_10120351200_ISO_035117img.exe
-
Size
833KB
-
MD5
0d20e6334179eeadad75c218d0d9dca2
-
SHA1
ab19c8e05121be1bfed70591477610cd12e066ab
-
SHA256
8b94440478e3c9fd0991d121ef5ab7144425da4b074a65d93fd9111a515c0b8e
-
SHA512
3f5672aafefbaf9156a0cda170360eb5fa43e1907e7966c041c2f870a2af0494bc9315c57fb85840ce3e7b4c02c7bfe5b85c023d8759c26da5605a0762d800fd
Score10/10-
Executes dropped EXE
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
Invoice 1905-20-1907-20.pdf.exe
-
Size
742KB
-
MD5
d40d05b8b73fb36ca9ae679997decbf7
-
SHA1
1099139b29753b0308fd3729a1b0a894fb98b94e
-
SHA256
9509214ef8fd1704c88aebdd75cf26345735cf6901af44de6038dce4e4d46f34
-
SHA512
6c6388214929c2d094584c8ddfe5b116ff6c250e2c32f161d5328a258191e115fca6a10275e7e366a7ab976116e2b2406dbc699c4a5287aac39ee127657d900b
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Suspicious use of SetThreadContext
-
-
-
Target
Leak/PROFORMA INVOICE.doc
-
Size
236KB
-
MD5
4894c7f281ca84866cdafa19c52c734d
-
SHA1
23dfaf317b8a82107ef2f2906d37a0aa8b85d828
-
SHA256
14cfd6340c189704a9d65b0d3c9aa8472119d30987296c1d04bc225ea0f9891d
-
SHA512
fb44d35335238450f90263a8c2c9264fc0d22e76c3eef4517eb27b6408f9686edad968461ce73ad4ca9fe93e68644dcebc7883944594e6faf62bdbb6a3a70ef7
-
Formbook Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-
-
-
Target
Payment receipt.pdf.exe
-
Size
707KB
-
MD5
d4be4730ee0e801938ae40b02b5ec346
-
SHA1
5a36a50fe19f08f5c34db24127b43bdceb85bb42
-
SHA256
0e6c644f1252507e018b0fbe6b83902adcd2278a083fe1902092f627babf3711
-
SHA512
d4e4a31f6be9df302010ef550191ab5c4f37aaa277e61b88600253ebd8cb7f3a670b13dfd459dc75f88946f78bc2403ca6739d042a6909411bd20dcfda149a29
-
Formbook Payload
-
Deletes itself
-
Suspicious use of SetThreadContext
-
-
-
Target
Leak/Proforma invoice35117img.xls
-
Size
118KB
-
MD5
9a5a1a96ece8355f2058a27b2ba2770e
-
SHA1
e12d878494854545cb39c316cc98db3c9577bf25
-
SHA256
c7f619995bc97f5c8b8b24e9d55cf36d2eb0af87ba5eb389cb36ec7b0c669b76
-
SHA512
1503cdd8083531b098a7ae8c31af63658763bc9147fe80571bbeb34249d1264a963104aaa512fec0efe3c2659eb6b1219cb2b64522cf0843c8b7284e0394edd8
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-