General
-
Target
2c6ab55eeb9c6860e323d83db778de04484ecca9e44766078985e8ed9e5fd42e
-
Size
1.5MB
-
Sample
220208-dqgabacef6
-
MD5
607128d07d71acd1bfbda6d8a6c4e5c7
-
SHA1
b4b87e37c9263888a6996b598eea5048f1a219b0
-
SHA256
2c6ab55eeb9c6860e323d83db778de04484ecca9e44766078985e8ed9e5fd42e
-
SHA512
1d431cfd52433df53328942fff3855cd3c9835f0241e1dd3a24f1b0fa5a74fed1aed793ad85f6cabf9b6a6d3cd2d6eae3bf0f9b5ec8502538c6cf66ca52bd83f
Static task
static1
Behavioral task
behavioral1
Sample
INV.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
INV.exe
Resource
win10v2004-en-20220112
Behavioral task
behavioral3
Sample
PACKING LISTS.exe
Resource
win7-en-20211208
Behavioral task
behavioral4
Sample
PACKING LISTS.exe
Resource
win10v2004-en-20220113
Behavioral task
behavioral5
Sample
PICS.exe
Resource
win7-en-20211208
Behavioral task
behavioral6
Sample
PICS.exe
Resource
win10v2004-en-20220113
Behavioral task
behavioral7
Sample
QUOTATION.exe
Resource
win7-en-20211208
Behavioral task
behavioral8
Sample
QUOTATION.exe
Resource
win10v2004-en-20220112
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.privateemail.com - Port:
587 - Username:
[email protected] - Password:
MARYolanmauluogwo@ever
Extracted
Protocol: smtp- Host:
smtp.privateemail.com - Port:
587 - Username:
[email protected] - Password:
MARYolanmauluogwo@ever
Extracted
matiex
Protocol: smtp- Host:
smtp.privateemail.com - Port:
587 - Username:
[email protected] - Password:
MARYolanmauluogwo@ever
Targets
-
-
Target
INV.exe
-
Size
310KB
-
MD5
74af18caa94425fd150c9bc2b1b89771
-
SHA1
d324c1ea8218c2a65b89c47b0ba11b63acb464b0
-
SHA256
0689d5aa88eeabb27ebb29c4a50ce9d1d125e641484cc649ab1bf34327e611e5
-
SHA512
0d81e5216fd47ede4023996a82554e7592eb33c804a8d9407079482c5c0902d08cc4ae3cd3fb1ca019a1923c1213af594f63bd5f3b2aaa8ef46fc92dbe32d96d
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Drops startup file
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
PACKING LISTS.exe
-
Size
309KB
-
MD5
25e396015a9db6326384b2091bcc9fad
-
SHA1
e7b083cb514c5d6625b6babfffe7429537aeca4f
-
SHA256
15b7e016d58fd18d0f7eb8f578ba217b9aaac7367c0eddd7a545f9d98d49e288
-
SHA512
23d1b45f1324c5206a1a05f11046d56bbeefa996953d0697c06f3ceb6f59a9d67b150e2742661b828d2c1218153f45cd8a6bbf3f59b0b8309d2ad03734119b05
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Drops startup file
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
PICS.exe
-
Size
614KB
-
MD5
d58af35ac0ce272e393f814bc485cf04
-
SHA1
3cc3b71d1231b4434aab5f4d04ad1ce6321ca44c
-
SHA256
d6544a0b973c2a4a5ee527a2aa91ea58825b12e3c32e7d93052b4256127f9d0f
-
SHA512
cf424b7c441b652fae1f6221b277cc263fcf11465fd618d2115fb5840c73947923175b295c2701482ecb8cb43a9dd03ba1d7d97bbf131371cfe0b78edd34cde0
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Drops startup file
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
QUOTATION.exe
-
Size
539KB
-
MD5
46f606d353f874f3a7d331919337fa4e
-
SHA1
e4cd9db1f7ab39819591392d9ed49e24116e31f0
-
SHA256
96419e24a139be22003f18188eb9d4eac5fb5b8372dd055509365d0d6e4665d4
-
SHA512
e7f0a08d29e958705d9b6f0b4e5a4e9732df001292d95155aa6e5a457bb30e76b4b2c244e77d2ed79e83df8f65fe2785a218cc532cd04f41fb9693606a70a207
Score10/10-
Matiex Main Payload
-
Drops startup file
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-