General
-
Target
af326a34efc85541f5da41eba908c3fb6532c61d0b75038fa0d7350db1490d12
-
Size
2.7MB
-
Sample
220520-3zv79scfeq
-
MD5
33b2f1559d23a467aa4b3c7883eed39f
-
SHA1
6e4f14f050024dbef7bf01da0f263d39da92e5e9
-
SHA256
af326a34efc85541f5da41eba908c3fb6532c61d0b75038fa0d7350db1490d12
-
SHA512
2247ce7399cb0702642212ac2ada18e120f8826c12a5cf3cd9fcb6970207311e6f06c2fb516a4739e32ea6449d1ec6b48378e14cb79765ef3c6482e26d98e2bb
Static task
static1
Behavioral task
behavioral1
Sample
BV10013_.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
BV10013_.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
PICTURES.scr
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
PICTURES.scr
Resource
win10v2004-20220414-en
Behavioral task
behavioral5
Sample
REACH_ST.exe
Resource
win7-20220414-en
Behavioral task
behavioral6
Sample
REACH_ST.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral7
Sample
TEMPLATE.exe
Resource
win7-20220414-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
onnybekee2@gmail.com - Password:
z123456789ok
Extracted
Protocol: smtp- Host:
smtp.privateemail.com - Port:
587 - Username:
sales01@seedwellresources.xyz - Password:
coronavirus2020
Extracted
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
onnybekee2@gmail.com - Password:
z123456789ok
Extracted
matiex
Protocol: smtp- Host:
smtp.privateemail.com - Port:
587 - Username:
sales02@seedwellresources.xyz - Password:
coronavirus2020 - Email To:
sales01@seedwellresources.xyz
Targets
-
-
Target
BV10013_.BAT
-
Size
490KB
-
MD5
75c564a6cdbdabbfebc987ca24175e8f
-
SHA1
d20db6904b85c9e65a62aa0d14cb673f7f8d5678
-
SHA256
a83a9e5760babc377c95ad2aa5d8b9e895f445cf4c0f8869a4ebc4be3fbaf3e9
-
SHA512
0317342c9347dca4c5cb41151149696807830b49865bc47657616ba60a7ed5102f08e0daa849871bb9cc948db2b1a08916ee5da067ef16c3eceebe4a53bc8ad6
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-
-
-
Target
PICTURES.SCR
-
Size
722KB
-
MD5
97585500981a1864a1e045f9142ed265
-
SHA1
99ade1bf5a28865c51e89b58971f17a2bf815187
-
SHA256
41cc6dbe14e3c58d4d0f7a21da2f610f44af575ec10976b9ed5f2b747373d4e7
-
SHA512
5f1a97bc8b062f66b9f76bc603c8e68962b876eff6a511f60f8623f9ce554e5fae96ed6938b7cbdecf6610b64b77a03bcd48f5194c2a981be74ef2c318dc4914
-
Looks for VirtualBox Guest Additions in registry
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-
-
-
Target
REACH_ST.BAT
-
Size
489KB
-
MD5
e151d6912989eea1ed5f7fb70d24bd0d
-
SHA1
1e7a5887f6da7929e33d97f6c068ab26f6c5017f
-
SHA256
9d16660c6cbee0c09d8046e43cec9523ca047f7478723c7e04a255c644794c6e
-
SHA512
22e7561a8050c8c2b58f56fff47c5e279ce9c3330dad3f2969bff4776250ef29fff84e5270da0bf01c9fb752367f6e64dcc2bc2eefdb40c99d17ad7995f9cf4b
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-
-
-
Target
TEMPLATE.BAT
-
Size
487KB
-
MD5
a4b9cb78deefd62d30d2f21e65fe8c7a
-
SHA1
55820f96071437f08f6ea4e656a0497e71292916
-
SHA256
99b2d9e790cfb597b01a934bcf113cd6675f4a5ef260da57ef2a86d68ecbc1b2
-
SHA512
770d4dd21e674ac88922b42fc2d5e5eda4fb4c58cb9daf04f8396932505da5ddf05c67719d326f01cb244349b244fd896cc2142c01fdf6aecc71bf87ded76da0
-
Matiex Main Payload
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-