Overview
overview
10Static
static
10malware/EinTT.exe
windows7_x64
10malware/EinTT.exe
windows10-2004_x64
10malware/fox.exe
windows7_x64
8malware/fox.exe
windows10-2004_x64
8malware/guJPO.exe
windows7_x64
10malware/guJPO.exe
windows10-2004_x64
10malware/loader1.exe
windows7_x64
10malware/loader1.exe
windows10-2004_x64
10malware/regasm.exe
windows7_x64
10malware/regasm.exe
windows10-2004_x64
10malware/vbc.exe
windows7_x64
10malware/vbc.exe
windows10-2004_x64
10malware/vbc1.exe
windows7_x64
10malware/vbc1.exe
windows10-2004_x64
10malware/vbc2.exe
windows7_x64
10malware/vbc2.exe
windows10-2004_x64
10General
-
Target
malware.zip
-
Size
1.8MB
-
Sample
220406-j5l21afahj
-
MD5
8fae35da9fc7bd3729bc7a3e361bddda
-
SHA1
1198db2a80225df6aa0bde198c10673695f5b2c5
-
SHA256
9404c7a99bcdde02f50e378d1dffad170426af7c1c5c545b2f6fd57de48ffad5
-
SHA512
9c55baf896cab02a0e604aa1e23e1afac8b0700b3d6cfd6a72528b13e81f76088416521f37e05cbbebd9bb716a928747ae3b3053655f4baa68ee697fd36d8927
Behavioral task
behavioral1
Sample
malware/EinTT.exe
Resource
win7-20220331-en
Behavioral task
behavioral2
Sample
malware/EinTT.exe
Resource
win10v2004-20220331-en
Behavioral task
behavioral3
Sample
malware/fox.exe
Resource
win7-20220331-en
Behavioral task
behavioral4
Sample
malware/fox.exe
Resource
win10v2004-20220331-en
Behavioral task
behavioral5
Sample
malware/guJPO.exe
Resource
win7-20220331-en
Behavioral task
behavioral6
Sample
malware/guJPO.exe
Resource
win10v2004-20220331-en
Behavioral task
behavioral7
Sample
malware/loader1.exe
Resource
win7-20220331-en
Behavioral task
behavioral8
Sample
malware/loader1.exe
Resource
win10v2004-20220331-en
Behavioral task
behavioral9
Sample
malware/regasm.exe
Resource
win7-20220331-en
Behavioral task
behavioral10
Sample
malware/regasm.exe
Resource
win10v2004-20220331-en
Behavioral task
behavioral11
Sample
malware/vbc.exe
Resource
win7-20220331-en
Behavioral task
behavioral12
Sample
malware/vbc.exe
Resource
win10v2004-20220331-en
Behavioral task
behavioral13
Sample
malware/vbc1.exe
Resource
win7-20220331-en
Behavioral task
behavioral14
Sample
malware/vbc1.exe
Resource
win10v2004-20220331-en
Behavioral task
behavioral15
Sample
malware/vbc2.exe
Resource
win7-20220311-en
Behavioral task
behavioral16
Sample
malware/vbc2.exe
Resource
win10v2004-20220331-en
Malware Config
Extracted
xloader
2.5
ahc8
192451.com
wwwripostes.net
sirikhalsalaw.com
bitterbaybay.com
stella-scrubs.com
almanecermezcal.com
goodgood.online
translate-now.online
sincerefilm.com
quadrantforensics.com
johnfrenchart.com
plick-click.com
alnileen.com
tghi.xyz
172711.com
maymakita.com
punnyaseva.com
ukash-online.com
sho-yururi-blog.com
hebergement-solidaire.com
civicinfluencers.net
gzhf8888.com
kuleallstar.com
palisadeslodgecondos.com
holyhirschsprungs.com
azalearoseuk.com
jaggllc.com
italianrofrow.xyz
ioewur.xyz
3a5hlv.icu
kitcycle.com
estate.xyz
ankaraescortvip.xyz
richclubsite2001.xyz
kastore.website
515pleasantvalleyway.com
sittlermd.com
mytemple.group
tiny-wagen.com
sharaleesvintageflames.com
mentalesteem.com
sport-newss.online
fbve.space
lovingtruebloodindallas.com
eaglehospitality.biz
roofrepairnow.info
mcrosfts-updata.digital
cimpactinc.com
greatnotleyeast.com
lovely-tics.com
douglas-enterprise.com
dayannalima.online
ksodl.com
rainbowlampro.com
theinteriorsfurniture.com
eidmueller.email
cg020.online
gta6fuzhu.com
cinemaocity.com
hopeitivity.com
savageequipment.biz
groceriesbazaar.com
hempgotas.com
casino-pharaon-play.xyz
ralfrassendnk-login.com
Extracted
Protocol: smtp- Host:
mail.mushko-ps.com - Port:
587 - Username:
umair@mushko-ps.com - Password:
Uma335@Mps
Extracted
agenttesla
Protocol: smtp- Host:
mail.mushko-ps.com - Port:
587 - Username:
umair@mushko-ps.com - Password:
Uma335@Mps - Email To:
ijeoma.12@yandex.com
Extracted
lokibot
http://iowipalbv6atsy.tk/Concord/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
http://mail.outlook-webpage-auth.ml/joe/fre.php
http://chrisupdated.xyz/ttboi/five/fre.php
http://62.197.136.176/userbob/five/fre.php
Targets
-
-
Target
malware/EinTT.exe
-
Size
583KB
-
MD5
a4741e30b7b12d7b7ff728527bf7023e
-
SHA1
d8429912433ca80b1fde886c1e91af51abab5efe
-
SHA256
693b96514d1d57ee01269e74390bef130a9980cd91f8487cac6f3a89c4f18b25
-
SHA512
7532983d8d1ac79bfc1384320461ee807dbfd5399c82a01c2f86746adb50e614ab5ca85a466a512f9a9af0bab7cffabd98a2d37e5023815c2e3bfa962d360342
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-
-
-
Target
malware/fox.exe
-
Size
21KB
-
MD5
dce19521a9244e07348ad6d9594d0e82
-
SHA1
0afa324ff68a5e398c1c7d2b1c86ad2c8cc1c9aa
-
SHA256
3b14b04160d49bdd074d3d571992ed5333b8292a3c0f8f58988c606bd91408f9
-
SHA512
49892e61920f4baf2d3228ab5b985c4252411cb40bca68d3fa069148cf474c1a3160f043c3b2b532634e361350be9f39bd89a9e92361c962dc65cab5b939a496
Score8/10-
Downloads MZ/PE file
-
-
-
Target
malware/guJPO.exe
-
Size
164KB
-
MD5
a73bd7a7d57c7132fab130836c4e1bf3
-
SHA1
be5a57900b99030c1edda051f47ac7b71d5a4402
-
SHA256
4ef90b24b4674cd6914181ff64e47d9a31069412cb41ffb60dfcf1c0f491dd74
-
SHA512
6470654f2dcf22bcbf38d293f08545de4660ea2f66dc180523c5b2ebf1e664b2f93756b62f665c3d30f923eb0efcc4f5025bb7f27bd2d4420fda3128238ba20a
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload
-
Deletes itself
-
Suspicious use of SetThreadContext
-
-
-
Target
malware/loader1.exe
-
Size
233KB
-
MD5
b347d8b2e90e11981f6895be59b5f30c
-
SHA1
fecff17fe981b71deaa00b7522833f2a9c3ffee7
-
SHA256
10ccac80baa31a7a96f2b73fe158db6b699f27f9b89af9692a0ccc152802fb12
-
SHA512
c812ea37eccc072a73ff4e1c81eb29b1b5ca2eda5a02c1fae2955cee49d0b770bfa7437e9f67ea15f39838d75c546da6a8359a616f537dd7ab785d0fbfcc617c
Score10/10-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-
-
-
Target
malware/regasm.exe
-
Size
401KB
-
MD5
29b6f7f3043b17847283b694e6eecffc
-
SHA1
2dc63f5052eb2dbfd6c0c9192b92e1f53b32ccd8
-
SHA256
7500469c4541e998741549c72877eeda8d52ef698155cc5042eff21ed2bf8581
-
SHA512
be4b02c6f0b0fcf1155b3970557ab618dc4da26b77bacb75422da110d89458d89e927301b3f49a179466dcbea186435b8ad94bcc03b8c77fcd8158f4a9147684
Score10/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-
-
-
Target
malware/vbc.exe
-
Size
231KB
-
MD5
72b2e84c1aec86b5c955ff098d7fd8b7
-
SHA1
20f9c563206eff907cfad0723988de58872bc93e
-
SHA256
1b26f49cdc29c81ea4d8f5571349e835662bca7881608dce0d13e86798dd9ac4
-
SHA512
e5d062f0b105332ffa06f3e13c5ecc0dd66fc58bb631f31bd85b4a60f138ff2e127550eec6dbd47cb644ea2def1aa1fcb473a4db2c36752946798998e2adadaa
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-
-
-
Target
malware/vbc1.exe
-
Size
233KB
-
MD5
9a438bc1d2e08161d0fade11ff6c39bf
-
SHA1
9522e356bba95728046ced9c7071b58cdb5a6d76
-
SHA256
b77f6786b940f40b4eebd492b925ad174b28b50fbf9ead3a1b1000189b530704
-
SHA512
2ecffdcb152f302ea16bbfdd57182ccac40361a2c2345cf41d0863685807ebdeaf9f8c43ce43816289d45352dbafade5c8ba820795c0c8c7cf8e016bcf8ade9d
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-
-
-
Target
malware/vbc2.exe
-
Size
265KB
-
MD5
aad8885345c5d145c8cb22292332fb38
-
SHA1
b7c01db77c5cd491bee82e125d4783175a1f73b7
-
SHA256
0007c9f7203e80c87042d5b4ae3208bf3adf66657c65e02ef6136c5b18ee3bcb
-
SHA512
70bd8402767b7c7ca1fce5f737e5fff44dda0ebf5a81f1465589dfe5179bc17d82009f771157d2003bf22f7d5582f90330f1159d9d464c90dceeff503e568f09
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Executes dropped EXE
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-