Overview

overview

10

Static

static

NDt93WWQwd089H7.exe

windows7_x64

10

NDt93WWQwd089H7.exe

windows10-2004_x64

4

YyeznSFcE5IUYLS.exe

windows7_x64

10

YyeznSFcE5IUYLS.exe

windows10-2004_x64

4

w7a5Qzx6sR1WxLJ.exe

windows7_x64

1

w7a5Qzx6sR1WxLJ.exe

windows10-2004_x64

10

wCRnCAMZ3yT8BQ2.exe

windows7_x64

10

wCRnCAMZ3yT8BQ2.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    8dd97dc341e72b4830a7375c3e51de56ac35b91a31498d2dbeba929846d6129e

  • Size

    3.4MB

  • Sample

    220221-m7hzxahgc9

  • MD5

    170d8b1b82becf5da5d00a625cc48e82

  • SHA1

    efea505622e66451df835544a541cdf2644350dd

  • SHA256

    8dd97dc341e72b4830a7375c3e51de56ac35b91a31498d2dbeba929846d6129e

  • SHA512

    e43e7b901b47e0c2dc30734e684867d673625107c9a337f3697d7b94be33dfeea784842ee30d24f8c188241c7100103db712ce0bd8b1b5c09b0c8b69fbb4fefb

Score
10/10
agentteslahawkeyematiexcollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.privateemail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    MARYolanmauluogwo@ever

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.privateemail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    MARYolanmauluogwo@ever

Extracted

Family

matiex

Credentials

  • Protocol:     smtp
  • Host:
    smtp.privateemail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    MARYolanmauluogwo@ever

Targets

    • Target

      NDt93WWQwd089H7.exe

    • Size

      1.3MB

    • MD5

      0f330f518f4f71f0735cce4eaf1612d7

    • SHA1

      f34909417588543112974ebbc0fa8236a8a604c1

    • SHA256

      702554b4a0770d70bd5972318d2294ef2b26001595b574d122264b8c1793457c

    • SHA512

      ee5ec83814a64c56bdfdaec885396c86364ccf5bd7eaa25b3bdd2c43c6a8c7427bdf2a7514a7c0043294cdf7c9b89699a818ca65d5e4ef6f5d04c0de94597db3

    Score
    10/10
    hawkeyecollectionkeyloggerspywarestealertrojan

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

      keyloggertrojanstealerspywarehawkeye

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      YyeznSFcE5IUYLS.exe

    • Size

      936KB

    • MD5

      49ad4e42ac4829d60cb703811a951363

    • SHA1

      d0deb06327fc6545177fabaaff9a14312a9e2d2c

    • SHA256

      a5eb38594eb57ed5010a258b0f35aa3647243e8eb5ba4474eee9808abcaeb149

    • SHA512

      7a144c931c1b313f4783c1b11e7df41ac1a893bfb80dce5942eb75e8b0e9533c3de7cf720444070df4d95dc730227e71b0542e769fc6a41e22008d901d141700

    Score
    10/10
    agentteslakeyloggerspywarestealertrojan
    behavioral3behavioral4

    • Target

      w7a5Qzx6sR1WxLJ.exe

    • Size

      963KB

    • MD5

      817224692a2f3575c413a823c20cbe08

    • SHA1

      13c029398a71a48f3cc56a05822a7263e599f1cc

    • SHA256

      06874ef73df2968a28b4c4ecefc2d96d520941eeb8f447f76767ecdfd5a59b79

    • SHA512

      d6f4fa8546351d7a0c97a84bf1e5cf7b5473fe3ea0017b6f277bbfe0b188382508b2dce5e7c90a4d9c19d8698c5afc1d7616f245bcf6ef7757b529be794cad3d

    Score
    10/10
    agentteslacollectionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral5behavioral6

    • Target

      wCRnCAMZ3yT8BQ2.exe

    • Size

      938KB

    • MD5

      2363f93331fc792ae9cb5750043bdc89

    • SHA1

      2fc0b7b4106a28ffe7f63f36ff64fe045e8f7daa

    • SHA256

      08c29dfa0ccb747751c5ff3ccde88f7f8a5a87152121f75f60a886b14e86bf00

    • SHA512

      a4a47c39e03c22844725b51ffd56f3ae01e9095733e8442eaba1fcf0e3a0e1edb127a6bf4b5ab8063614829db27919dea5a0e62f9e7d320e625fc498a603ad3e

    Score
    10/10
    matiexkeyloggerstealer

    • Matiex

      Matiex is a keylogger and infostealer first seen in July 2020.

      stealerkeyloggermatiex

    • Matiex Main Payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral7behavioral8

MITRE ATT&CK Enterprise v6

Tasks