General
-
Target
eca3cc09792ccba9c1dfa361cbaac62a0a33b94510b730e81c32b6c0ea3eddeb
-
Size
1.5MB
-
Sample
220208-bg25babeal
-
MD5
4d817ea9b5c8c59adb0260d82586d20b
-
SHA1
cb6edf8ecbe723195eb916b64c2da30dec5120e4
-
SHA256
eca3cc09792ccba9c1dfa361cbaac62a0a33b94510b730e81c32b6c0ea3eddeb
-
SHA512
adad2911d795c4dbe3d3965172b6675045df8bcb3c6d5901264f6940ae479b55d1fca47db1dc54473c519196126ce7504b70359ed8567c280d28c218a169da1f
Static task
static1
Behavioral task
behavioral1
Sample
1NV.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1NV.exe
Resource
win10v2004-en-20220113
Behavioral task
behavioral3
Sample
PICS.exe
Resource
win7-en-20211208
Behavioral task
behavioral4
Sample
PICS.exe
Resource
win10v2004-en-20220113
Behavioral task
behavioral5
Sample
PRICE LISTS.exe
Resource
win7-en-20211208
Behavioral task
behavioral6
Sample
PRICE LISTS.exe
Resource
win10v2004-en-20220113
Behavioral task
behavioral7
Sample
QUOTATION.exe
Resource
win7-en-20211208
Behavioral task
behavioral8
Sample
QUOTATION.exe
Resource
win10v2004-en-20220113
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.privateemail.com - Port:
587 - Username:
[email protected] - Password:
MARYolanmauluogwo@ever
Extracted
Protocol: smtp- Host:
smtp.privateemail.com - Port:
587 - Username:
[email protected] - Password:
MARYolanmauluogwo@ever
Extracted
matiex
Protocol: smtp- Host:
smtp.privateemail.com - Port:
587 - Username:
[email protected] - Password:
MARYolanmauluogwo@ever
Targets
-
-
Target
1NV.exe
-
Size
333KB
-
MD5
9a39543f79eefc3f3d8f6b077bde9dd1
-
SHA1
c0945ef3b12e95dfaace1e20e504b69c02405cb4
-
SHA256
f91e8935593d3dd5132ddd5986d32f1c6e290922f7fe63245e0eba034b23c283
-
SHA512
156971dd80dcf0e2b80f0de33ede5a2e67db633e31f018250b26a7076def08e5c22f9a8d9b7affcd3f580e1d56aa077356298692a547a9799c18508892a5d7ef
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Drops startup file
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
PICS.exe
-
Size
332KB
-
MD5
04426b499f9dbfe2d64d0427f8886e89
-
SHA1
5a37717c3bd6f124995591bb1ff89dedbe078614
-
SHA256
f4ca4b6592ae781af7585c76f6a922e5c88340df7164f07fdb3a6aa85dbfaeb5
-
SHA512
f51be87f008d93878f4157ecb5cedd7f114e2c54c7c9179a53e1846c66f586cea5ca66a8716266c79ea66ce6674b90ee4c7125ce8d7d509369750eb3e7edbab3
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Drops startup file
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
PRICE LISTS.exe
-
Size
637KB
-
MD5
038f1f701b7bbb405ac3e52d2971bbf0
-
SHA1
3a35d2857fac0dce3177499f054744002d93280f
-
SHA256
f1a813f7b246ad7238099fa5bbe800919eecf052965c7e44684c55de8ab5d97b
-
SHA512
c39723e9ae615f8d6004fc54b026d74c536d1fb8cab0a65a1fb7ead67126293b75f608a8ce911916d20be76a000f92ead8dd1f652abdb64a6ef3369a2bd08d5a
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Drops startup file
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
QUOTATION.exe
-
Size
562KB
-
MD5
21fd27bf9ec8cae0d958388319af9556
-
SHA1
f56d951b083b72300316ea71925868959ebbefb6
-
SHA256
df9211c8d0cf3b06189f2b29e7704219c3ed996dd21e97ca47f63f8c1f8537da
-
SHA512
f76da8389181d8bace01cabc1ed9f37b712e52e52eccaddf679d90dec708f19144d84e0eca1e7cbc708286c3db1a69d24fee0302ed498fcb03ab16c49940bd7c
Score10/10-
Matiex Main Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Drops startup file
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-