Overview

overview

10

Static

static

Inv.exe

windows7_x64

10

Inv.exe

windows10-2004_x64

10

New Order.exe

windows7_x64

10

New Order.exe

windows10-2004_x64

10

Quotation.exe

windows7_x64

10

Quotation.exe

windows10-2004_x64

10

pictures and logo.exe

windows7_x64

10

pictures and logo.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    b84beac430d5c3fd06f4a1016e305884689eba7596eea1d6ca8ffa2122f341ff

  • Size

    1.9MB

  • Sample

    220208-cjkhqacadm

  • MD5

    fc3b071a8f86b8746ab4c738a09c9da2

  • SHA1

    bf5950d3631551f57679aafc8789685f4319276a

  • SHA256

    b84beac430d5c3fd06f4a1016e305884689eba7596eea1d6ca8ffa2122f341ff

  • SHA512

    429be80f432e360743fce2d4b837ca793b750f9450d067d61321fb1ba546880bee60b6a9d10f47060ec8d23a51aea373a70c540f5ead41d01bb115c27301b405

Score
10/10
agentteslahawkeyematiexcollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.privateemail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    MARYolanmauluogwo@ever

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.privateemail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    MARYolanmauluogwo@ever

Extracted

Family

matiex

Credentials

  • Protocol:     smtp
  • Host:
    smtp.privateemail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    MARYolanmauluogwo@ever

Targets

    • Target

      Inv.exe

    • Size

      744KB

    • MD5

      f8433b692958fa0ce7659e63203b60de

    • SHA1

      dd6595d2e6d5bdf54e718b07c94fc964eab69365

    • SHA256

      69b49da3c4767d2ffcd713aeea8343e1aa2f0be88512fc9c4d86a932b4ee6cb5

    • SHA512

      343ab88a59614251a2323af2b886069e5507aef04421c1b937661868a4c1c3332c60af85307b2b4dc21632c983e85372486ea6f5adfb3ffefeb11cb186718a6c

    Score
    10/10
    hawkeyecollectionkeyloggerpersistencespywarestealertrojan

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

      keyloggertrojanstealerspywarehawkeye

    • Beds Protector Packer

      Detects Beds Protector packer used to load .NET malware.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Drops startup file

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      New Order.exe

    • Size

      439KB

    • MD5

      cfdf487ec65b12fb598214e07d4e2449

    • SHA1

      1a4c51f0f4d6356da677594800b4356c65da6074

    • SHA256

      bd021089d05bee433a76c55dd186d23261a7232e55ea540c9fd63f4403071a66

    • SHA512

      afb4fc6e187ab62f29adfef8390b74db3ba309c37fb8c57c38dd8beeaba74c11ea58643f45d9349206fdca0aaab567e067fe555368f44bdcb0401c8da0f81009

    Score
    10/10
    agentteslacollectionkeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Beds Protector Packer

      Detects Beds Protector packer used to load .NET malware.

    • Drops startup file

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

    • Target

      Quotation.exe

    • Size

      440KB

    • MD5

      0547c6fd5e4d632b87d2f9a3dbc88587

    • SHA1

      022d3a644567f960a1fa692ed576a4aaf5ca72a0

    • SHA256

      e25588ef7f6dc061277b4380dc1f9ad034f1eb74c254cd778fea2ab7fe1783ab

    • SHA512

      bed9caa917ff25a5168017952b401f4688f0f04c0075442bcb95d891017293b403c42a1e6f43cea4fc6ee5e2e80ae90d4c19afc293283eb4e840bc8871878129

    Score
    10/10
    agentteslacollectionkeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Beds Protector Packer

      Detects Beds Protector packer used to load .NET malware.

    • Drops startup file

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral5behavioral6

    • Target

      pictures and logo.exe

    • Size

      669KB

    • MD5

      4fa42a8beb305337e28cede06ceefa62

    • SHA1

      1ad401dc70385788123ae837eea020a9c1d9e9d9

    • SHA256

      c38b853587846014052d5b2206e8764dac66f7de9479ec3080e1872938bd7ceb

    • SHA512

      81dc56b84e3e95169de458d5842c50347455365388b96155aa25a7fea27dc756d20180265ee2b796b2d6ebc2d04d622a6fa9259877f371e956e1458415046807

    Score
    10/10
    matiexkeyloggerstealercollectionspyware

    • Matiex

      Matiex is a keylogger and infostealer first seen in July 2020.

      stealerkeyloggermatiex

    • Matiex Main Payload

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Beds Protector Packer

      Detects Beds Protector packer used to load .NET malware.

    • Drops startup file

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral7behavioral8

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Persistence

Registry Run Keys / Startup Folder

3
T1060

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

3
T1112

Credential Access

Credentials in Files

8
T1081

Discovery

Query Registry

4
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Email Collection

4
T1114

Data from Local System

8
T1005

Exfiltration

Command and Control

Impact

Tasks