Overview

overview

10

Static

static

1NV.exe

windows7_x64

10

1NV.exe

windows10-2004_x64

10

PICS.exe

windows7_x64

10

PICS.exe

windows10-2004_x64

10

PRICE LISTS.exe

windows7_x64

10

PRICE LISTS.exe

windows10-2004_x64

10

QUOTATION.exe

windows7_x64

10

QUOTATION.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    eca3cc09792ccba9c1dfa361cbaac62a0a33b94510b730e81c32b6c0ea3eddeb

  • Size

    1.5MB

  • Sample

    220208-bg25babeal

  • MD5

    4d817ea9b5c8c59adb0260d82586d20b

  • SHA1

    cb6edf8ecbe723195eb916b64c2da30dec5120e4

  • SHA256

    eca3cc09792ccba9c1dfa361cbaac62a0a33b94510b730e81c32b6c0ea3eddeb

  • SHA512

    adad2911d795c4dbe3d3965172b6675045df8bcb3c6d5901264f6940ae479b55d1fca47db1dc54473c519196126ce7504b70359ed8567c280d28c218a169da1f

Score
10/10
agentteslahawkeyematiexcollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.privateemail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    MARYolanmauluogwo@ever

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.privateemail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    MARYolanmauluogwo@ever

Extracted

Family

matiex

Credentials

  • Protocol:     smtp
  • Host:
    smtp.privateemail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    MARYolanmauluogwo@ever

Targets

    • Target

      1NV.exe

    • Size

      333KB

    • MD5

      9a39543f79eefc3f3d8f6b077bde9dd1

    • SHA1

      c0945ef3b12e95dfaace1e20e504b69c02405cb4

    • SHA256

      f91e8935593d3dd5132ddd5986d32f1c6e290922f7fe63245e0eba034b23c283

    • SHA512

      156971dd80dcf0e2b80f0de33ede5a2e67db633e31f018250b26a7076def08e5c22f9a8d9b7affcd3f580e1d56aa077356298692a547a9799c18508892a5d7ef

    Score
    10/10
    agentteslakeyloggerpersistencespywarestealertrojan
    behavioral1behavioral2

    • Target

      PICS.exe

    • Size

      332KB

    • MD5

      04426b499f9dbfe2d64d0427f8886e89

    • SHA1

      5a37717c3bd6f124995591bb1ff89dedbe078614

    • SHA256

      f4ca4b6592ae781af7585c76f6a922e5c88340df7164f07fdb3a6aa85dbfaeb5

    • SHA512

      f51be87f008d93878f4157ecb5cedd7f114e2c54c7c9179a53e1846c66f586cea5ca66a8716266c79ea66ce6674b90ee4c7125ce8d7d509369750eb3e7edbab3

    Score
    10/10
    agentteslakeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

    • Target

      PRICE LISTS.exe

    • Size

      637KB

    • MD5

      038f1f701b7bbb405ac3e52d2971bbf0

    • SHA1

      3a35d2857fac0dce3177499f054744002d93280f

    • SHA256

      f1a813f7b246ad7238099fa5bbe800919eecf052965c7e44684c55de8ab5d97b

    • SHA512

      c39723e9ae615f8d6004fc54b026d74c536d1fb8cab0a65a1fb7ead67126293b75f608a8ce911916d20be76a000f92ead8dd1f652abdb64a6ef3369a2bd08d5a

    Score
    10/10
    hawkeyecollectionkeyloggerpersistencespywarestealertrojan

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

      keyloggertrojanstealerspywarehawkeye

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Drops startup file

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral5behavioral6

    • Target

      QUOTATION.exe

    • Size

      562KB

    • MD5

      21fd27bf9ec8cae0d958388319af9556

    • SHA1

      f56d951b083b72300316ea71925868959ebbefb6

    • SHA256

      df9211c8d0cf3b06189f2b29e7704219c3ed996dd21e97ca47f63f8c1f8537da

    • SHA512

      f76da8389181d8bace01cabc1ed9f37b712e52e52eccaddf679d90dec708f19144d84e0eca1e7cbc708286c3db1a69d24fee0302ed498fcb03ab16c49940bd7c

    Score
    10/10
    matiexcollectionkeyloggerspywarestealer

    • Matiex

      Matiex is a keylogger and infostealer first seen in July 2020.

      stealerkeyloggermatiex

    • Matiex Main Payload

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Drops startup file

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral7behavioral8

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Persistence

Registry Run Keys / Startup Folder

3
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Scripting

1
T1064

Credential Access

Credentials in Files

4
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

4
T1005

Email Collection

2
T1114

Exfiltration

Command and Control

Impact

Tasks