Overview

overview

10

Static

static

Datasheet ...ns.exe

windows7_x64

10

Datasheet ...ns.exe

windows10-2004_x64

10

Request fo...AG.exe

windows7_x64

10

Request fo...AG.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    150ff79b8e8f3c3e3fb6e325469023a1988e56697834737bffcaf513e267833c

  • Size

    1.0MB

  • Sample

    220520-3fhstsggg3

  • MD5

    3dc57131508b4e8c6fa5c5c767f0c070

  • SHA1

    da8a8b61da761a5b2ace5a85df4982133b6adce0

  • SHA256

    150ff79b8e8f3c3e3fb6e325469023a1988e56697834737bffcaf513e267833c

  • SHA512

    a185912bb6ec8b5cb79e8e2cb71f095a868fc5ea5e95910e705ada2a623314927ecaf771075b8862b732f95c3c5791b57310c44b001dc0f747d05499af2422e4

Score
10/10
agentteslaformbookhkncollectionkeyloggerpersistenceratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

hkn

Decoy

nickherbal.info

desenlicoraplar.com

logo8023.com

gta5.ltd

surgicalmind.com

sigmanautomotive.com

theophileblog.com

wallaborate.com

ottawatotalfootcare.com

theusacoupons.com

lagharha.com

393351u.info

letthemeatcakeny.com

imgoingtohellgame.com

lovedovesbeauty.com

cheapsalenow.com

prodigynebula.win

suzhoucheckmate.com

splashautopark.com

lieflokken.com

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.flowtech-eng.net
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    RKZtqmQ*#1

Targets

    • Target

      Datasheet and specifications.exe

    • Size

      799KB

    • MD5

      6a8a29a1395db9c9d0dd8a00489a85c0

    • SHA1

      7962521b71d7222cc4aec8db1a6566b2f36653f3

    • SHA256

      4a21cad0d588267ebde8f8112e9d85bf355c77434beda6436cd9403a0a787c0d

    • SHA512

      ef14b51d2950c4a5c299e00286086b5331548c1104c328c746d1dbb1735116d8b7a0cab7efd13154500d940ba635fc4d52144bfd49c0c7a1fbac69bbf6ac224b

    Score
    10/10
    formbookhknratspywarestealertrojanpersistencesuricata

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata

    • Formbook Payload

      rat

    • Adds policy Run key to start application

      persistence

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      Request for Quotation for MET Group AG.exe

    • Size

      887KB

    • MD5

      b7b5b372f5e4a1d4a93d2638b893e7e1

    • SHA1

      19fb6827cc70cfce92ea0e997823d4e0197bc729

    • SHA256

      850d2b9605dd60453e789781aac42f97222f0f1c86ed87c5daa27f38e395e2bc

    • SHA512

      0453280c854cef1b38abccf48ff11615c88dab7cdcc380c62dfd28d7cf9573f8134a82e8e0a5aea55d9179b7a8eb3ff51063e5a9b141a7c6707bc8dea8495c0b

    Score
    10/10
    agentteslacollectionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

MITRE ATT&CK Enterprise v6

Tasks