Overview

overview

10

Static

static

INV.exe

windows7_x64

10

INV.exe

windows10-2004_x64

10

PACKING LISTS.exe

windows7_x64

10

PACKING LISTS.exe

windows10-2004_x64

10

PICS.exe

windows7_x64

10

PICS.exe

windows10-2004_x64

10

QUOTATION.exe

windows7_x64

10

QUOTATION.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2c6ab55eeb9c6860e323d83db778de04484ecca9e44766078985e8ed9e5fd42e

  • Size

    1.5MB

  • Sample

    220208-dqgabacef6

  • MD5

    607128d07d71acd1bfbda6d8a6c4e5c7

  • SHA1

    b4b87e37c9263888a6996b598eea5048f1a219b0

  • SHA256

    2c6ab55eeb9c6860e323d83db778de04484ecca9e44766078985e8ed9e5fd42e

  • SHA512

    1d431cfd52433df53328942fff3855cd3c9835f0241e1dd3a24f1b0fa5a74fed1aed793ad85f6cabf9b6a6d3cd2d6eae3bf0f9b5ec8502538c6cf66ca52bd83f

Score
10/10
agentteslahawkeyematiexcollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.privateemail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    MARYolanmauluogwo@ever

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.privateemail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    MARYolanmauluogwo@ever

Extracted

Family

matiex

Credentials

  • Protocol:     smtp
  • Host:
    smtp.privateemail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    MARYolanmauluogwo@ever

Targets

    • Target

      INV.exe

    • Size

      310KB

    • MD5

      74af18caa94425fd150c9bc2b1b89771

    • SHA1

      d324c1ea8218c2a65b89c47b0ba11b63acb464b0

    • SHA256

      0689d5aa88eeabb27ebb29c4a50ce9d1d125e641484cc649ab1bf34327e611e5

    • SHA512

      0d81e5216fd47ede4023996a82554e7592eb33c804a8d9407079482c5c0902d08cc4ae3cd3fb1ca019a1923c1213af594f63bd5f3b2aaa8ef46fc92dbe32d96d

    Score
    10/10
    agentteslacollectionkeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Drops startup file

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      PACKING LISTS.exe

    • Size

      309KB

    • MD5

      25e396015a9db6326384b2091bcc9fad

    • SHA1

      e7b083cb514c5d6625b6babfffe7429537aeca4f

    • SHA256

      15b7e016d58fd18d0f7eb8f578ba217b9aaac7367c0eddd7a545f9d98d49e288

    • SHA512

      23d1b45f1324c5206a1a05f11046d56bbeefa996953d0697c06f3ceb6f59a9d67b150e2742661b828d2c1218153f45cd8a6bbf3f59b0b8309d2ad03734119b05

    Score
    10/10
    agentteslakeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Drops startup file

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

    • Target

      PICS.exe

    • Size

      614KB

    • MD5

      d58af35ac0ce272e393f814bc485cf04

    • SHA1

      3cc3b71d1231b4434aab5f4d04ad1ce6321ca44c

    • SHA256

      d6544a0b973c2a4a5ee527a2aa91ea58825b12e3c32e7d93052b4256127f9d0f

    • SHA512

      cf424b7c441b652fae1f6221b277cc263fcf11465fd618d2115fb5840c73947923175b295c2701482ecb8cb43a9dd03ba1d7d97bbf131371cfe0b78edd34cde0

    Score
    10/10
    hawkeyecollectionkeyloggerpersistencespywarestealertrojan

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

      keyloggertrojanstealerspywarehawkeye

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Drops startup file

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral5behavioral6

    • Target

      QUOTATION.exe

    • Size

      539KB

    • MD5

      46f606d353f874f3a7d331919337fa4e

    • SHA1

      e4cd9db1f7ab39819591392d9ed49e24116e31f0

    • SHA256

      96419e24a139be22003f18188eb9d4eac5fb5b8372dd055509365d0d6e4665d4

    • SHA512

      e7f0a08d29e958705d9b6f0b4e5a4e9732df001292d95155aa6e5a457bb30e76b4b2c244e77d2ed79e83df8f65fe2785a218cc532cd04f41fb9693606a70a207

    Score
    10/10
    matiexcollectionkeyloggerspywarestealer

    • Matiex

      Matiex is a keylogger and infostealer first seen in July 2020.

      stealerkeyloggermatiex

    • Matiex Main Payload

    • Drops startup file

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral7behavioral8

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Persistence

Registry Run Keys / Startup Folder

3
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Scripting

1
T1064

Credential Access

Credentials in Files

8
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

8
T1005

Email Collection

3
T1114

Exfiltration

Command and Control

Impact

Tasks