Overview

overview

10

Static

static

10

malware/EinTT.exe

windows7_x64

10

malware/EinTT.exe

windows10-2004_x64

10

malware/fox.exe

windows7_x64

8

malware/fox.exe

windows10-2004_x64

8

malware/guJPO.exe

windows7_x64

10

malware/guJPO.exe

windows10-2004_x64

10

malware/loader1.exe

windows7_x64

10

malware/loader1.exe

windows10-2004_x64

10

malware/regasm.exe

windows7_x64

10

malware/regasm.exe

windows10-2004_x64

10

malware/vbc.exe

windows7_x64

10

malware/vbc.exe

windows10-2004_x64

10

malware/vbc1.exe

windows7_x64

10

malware/vbc1.exe

windows10-2004_x64

10

malware/vbc2.exe

windows7_x64

10

malware/vbc2.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    malware.zip

  • Size

    1.8MB

  • Sample

    220406-j5l21afahj

  • MD5

    8fae35da9fc7bd3729bc7a3e361bddda

  • SHA1

    1198db2a80225df6aa0bde198c10673695f5b2c5

  • SHA256

    9404c7a99bcdde02f50e378d1dffad170426af7c1c5c545b2f6fd57de48ffad5

  • SHA512

    9c55baf896cab02a0e604aa1e23e1afac8b0700b3d6cfd6a72528b13e81f76088416521f37e05cbbebd9bb716a928747ae3b3053655f4baa68ee697fd36d8927

Score
10/10
agentteslalokibotxloaderahc8collectionkeyloggerloaderratspywarestealersuricatatrojan

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ahc8

Decoy

192451.com

wwwripostes.net

sirikhalsalaw.com

bitterbaybay.com

stella-scrubs.com

almanecermezcal.com

goodgood.online

translate-now.online

sincerefilm.com

quadrantforensics.com

johnfrenchart.com

plick-click.com

alnileen.com

tghi.xyz

172711.com

maymakita.com

punnyaseva.com

ukash-online.com

sho-yururi-blog.com

hebergement-solidaire.com

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.mushko-ps.com
  • Port:
    587
  • Username:
    umair@mushko-ps.com
  • Password:
    Uma335@Mps

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.mushko-ps.com
  • Port:
    587
  • Username:
    umair@mushko-ps.com
  • Password:
    Uma335@Mps
  • Email To:
    ijeoma.12@yandex.com

Extracted

Family

lokibot

C2

http://iowipalbv6atsy.tk/Concord/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

http://mail.outlook-webpage-auth.ml/joe/fre.php

http://chrisupdated.xyz/ttboi/five/fre.php

http://62.197.136.176/userbob/five/fre.php

Targets

    • Target

      malware/EinTT.exe

    • Size

      583KB

    • MD5

      a4741e30b7b12d7b7ff728527bf7023e

    • SHA1

      d8429912433ca80b1fde886c1e91af51abab5efe

    • SHA256

      693b96514d1d57ee01269e74390bef130a9980cd91f8487cac6f3a89c4f18b25

    • SHA512

      7532983d8d1ac79bfc1384320461ee807dbfd5399c82a01c2f86746adb50e614ab5ca85a466a512f9a9af0bab7cffabd98a2d37e5023815c2e3bfa962d360342

    Score
    10/10
    agentteslacollectionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      malware/fox.exe

    • Size

      21KB

    • MD5

      dce19521a9244e07348ad6d9594d0e82

    • SHA1

      0afa324ff68a5e398c1c7d2b1c86ad2c8cc1c9aa

    • SHA256

      3b14b04160d49bdd074d3d571992ed5333b8292a3c0f8f58988c606bd91408f9

    • SHA512

      49892e61920f4baf2d3228ab5b985c4252411cb40bca68d3fa069148cf474c1a3160f043c3b2b532634e361350be9f39bd89a9e92361c962dc65cab5b939a496

    Score
    8/10

    • Downloads MZ/PE file

    behavioral3behavioral4

    • Target

      malware/guJPO.exe

    • Size

      164KB

    • MD5

      a73bd7a7d57c7132fab130836c4e1bf3

    • SHA1

      be5a57900b99030c1edda051f47ac7b71d5a4402

    • SHA256

      4ef90b24b4674cd6914181ff64e47d9a31069412cb41ffb60dfcf1c0f491dd74

    • SHA512

      6470654f2dcf22bcbf38d293f08545de4660ea2f66dc180523c5b2ebf1e664b2f93756b62f665c3d30f923eb0efcc4f5025bb7f27bd2d4420fda3128238ba20a

    Score
    10/10
    xloaderahc8loaderratsuricata

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Xloader Payload

      rat

    • Deletes itself

    • Suspicious use of SetThreadContext

    behavioral5behavioral6

    • Target

      malware/loader1.exe

    • Size

      233KB

    • MD5

      b347d8b2e90e11981f6895be59b5f30c

    • SHA1

      fecff17fe981b71deaa00b7522833f2a9c3ffee7

    • SHA256

      10ccac80baa31a7a96f2b73fe158db6b699f27f9b89af9692a0ccc152802fb12

    • SHA512

      c812ea37eccc072a73ff4e1c81eb29b1b5ca2eda5a02c1fae2955cee49d0b770bfa7437e9f67ea15f39838d75c546da6a8359a616f537dd7ab785d0fbfcc617c

    Score
    10/10
    lokibotcollectionspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral7behavioral8

    • Target

      malware/regasm.exe

    • Size

      401KB

    • MD5

      29b6f7f3043b17847283b694e6eecffc

    • SHA1

      2dc63f5052eb2dbfd6c0c9192b92e1f53b32ccd8

    • SHA256

      7500469c4541e998741549c72877eeda8d52ef698155cc5042eff21ed2bf8581

    • SHA512

      be4b02c6f0b0fcf1155b3970557ab618dc4da26b77bacb75422da110d89458d89e927301b3f49a179466dcbea186435b8ad94bcc03b8c77fcd8158f4a9147684

    Score
    10/10
    lokibotcollectionspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral9behavioral10

    • Target

      malware/vbc.exe

    • Size

      231KB

    • MD5

      72b2e84c1aec86b5c955ff098d7fd8b7

    • SHA1

      20f9c563206eff907cfad0723988de58872bc93e

    • SHA256

      1b26f49cdc29c81ea4d8f5571349e835662bca7881608dce0d13e86798dd9ac4

    • SHA512

      e5d062f0b105332ffa06f3e13c5ecc0dd66fc58bb631f31bd85b4a60f138ff2e127550eec6dbd47cb644ea2def1aa1fcb473a4db2c36752946798998e2adadaa

    Score
    10/10
    lokibotcollectionspywarestealersuricatatrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • suricata: ET MALWARE LokiBot Checkin

      suricata: ET MALWARE LokiBot Checkin

      suricata

    • suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

      suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

      suricata

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral11behavioral12

    • Target

      malware/vbc1.exe

    • Size

      233KB

    • MD5

      9a438bc1d2e08161d0fade11ff6c39bf

    • SHA1

      9522e356bba95728046ced9c7071b58cdb5a6d76

    • SHA256

      b77f6786b940f40b4eebd492b925ad174b28b50fbf9ead3a1b1000189b530704

    • SHA512

      2ecffdcb152f302ea16bbfdd57182ccac40361a2c2345cf41d0863685807ebdeaf9f8c43ce43816289d45352dbafade5c8ba820795c0c8c7cf8e016bcf8ade9d

    Score
    10/10
    lokibotcollectionspywarestealersuricatatrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • suricata: ET MALWARE LokiBot Checkin

      suricata: ET MALWARE LokiBot Checkin

      suricata

    • suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

      suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

      suricata

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral13behavioral14

    • Target

      malware/vbc2.exe

    • Size

      265KB

    • MD5

      aad8885345c5d145c8cb22292332fb38

    • SHA1

      b7c01db77c5cd491bee82e125d4783175a1f73b7

    • SHA256

      0007c9f7203e80c87042d5b4ae3208bf3adf66657c65e02ef6136c5b18ee3bcb

    • SHA512

      70bd8402767b7c7ca1fce5f737e5fff44dda0ebf5a81f1465589dfe5179bc17d82009f771157d2003bf22f7d5582f90330f1159d9d464c90dceeff503e568f09

    Score
    10/10
    agentteslakeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral15behavioral16

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Scripting

1
T1064

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Scripting

1
T1064

Credential Access

Credentials in Files

7
T1081

Discovery

System Information Discovery

6
T1082

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

7
T1005

Email Collection

5
T1114

Exfiltration

Command and Control

Impact

Tasks

static1

ratahc8xloader
Score
10/10

behavioral1

agentteslacollectionkeyloggerspywarestealertrojan
Score
10/10

behavioral2

agentteslacollectionkeyloggerspywarestealertrojan
Score
10/10

behavioral3

Score
8/10

behavioral4

Score
8/10

behavioral5

xloaderahc8loaderratsuricata
Score
10/10

behavioral6

xloaderahc8loaderratsuricata
Score
10/10

behavioral7

lokibotcollectionspywarestealertrojan
Score
10/10

behavioral8

lokibotcollectionspywarestealertrojan
Score
10/10

behavioral9

lokibotcollectionspywarestealertrojan
Score
10/10

behavioral10

lokibotcollectionspywarestealertrojan
Score
10/10

behavioral11

lokibotcollectionspywarestealersuricatatrojan
Score
10/10

behavioral12

lokibotcollectionspywarestealersuricatatrojan
Score
10/10

behavioral13

lokibotcollectionspywarestealersuricatatrojan
Score
10/10

behavioral14

lokibotcollectionspywarestealersuricatatrojan
Score
10/10

behavioral15

agentteslakeyloggerspywarestealertrojan
Score
10/10

behavioral16

agentteslakeyloggerspywarestealertrojan
Score
10/10