Overview

overview

10

Static

static

BV10013_.exe

windows7_x64

10

BV10013_.exe

windows10-2004_x64

10

PICTURES.scr

windows7_x64

10

PICTURES.scr

windows10-2004_x64

10

REACH_ST.exe

windows7_x64

10

REACH_ST.exe

windows10-2004_x64

10

TEMPLATE.exe

windows7_x64

10

TEMPLATE.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    af326a34efc85541f5da41eba908c3fb6532c61d0b75038fa0d7350db1490d12

  • Size

    2.7MB

  • Sample

    220520-3zv79scfeq

  • MD5

    33b2f1559d23a467aa4b3c7883eed39f

  • SHA1

    6e4f14f050024dbef7bf01da0f263d39da92e5e9

  • SHA256

    af326a34efc85541f5da41eba908c3fb6532c61d0b75038fa0d7350db1490d12

  • SHA512

    2247ce7399cb0702642212ac2ada18e120f8826c12a5cf3cd9fcb6970207311e6f06c2fb516a4739e32ea6449d1ec6b48378e14cb79765ef3c6482e26d98e2bb

Score
10/10
agentteslahawkeyematiexcollectionevasionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.gmail.com
  • Port:
    587
  • Username:
    onnybekee2@gmail.com
  • Password:
    z123456789ok

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.privateemail.com
  • Port:
    587
  • Username:
    sales01@seedwellresources.xyz
  • Password:
    coronavirus2020

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.gmail.com
  • Port:
    587
  • Username:
    onnybekee2@gmail.com
  • Password:
    z123456789ok

Extracted

Family

matiex

Credentials

  • Protocol:     smtp
  • Host:
    smtp.privateemail.com
  • Port:
    587
  • Username:
    sales02@seedwellresources.xyz
  • Password:
    coronavirus2020
  • Email To:
    sales01@seedwellresources.xyz

Targets

    • Target

      BV10013_.BAT

    • Size

      490KB

    • MD5

      75c564a6cdbdabbfebc987ca24175e8f

    • SHA1

      d20db6904b85c9e65a62aa0d14cb673f7f8d5678

    • SHA256

      a83a9e5760babc377c95ad2aa5d8b9e895f445cf4c0f8869a4ebc4be3fbaf3e9

    • SHA512

      0317342c9347dca4c5cb41151149696807830b49865bc47657616ba60a7ed5102f08e0daa849871bb9cc948db2b1a08916ee5da067ef16c3eceebe4a53bc8ad6

    Score
    10/10
    agentteslaevasionkeyloggerspywarestealertrojancollection

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

      collection

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      PICTURES.SCR

    • Size

      722KB

    • MD5

      97585500981a1864a1e045f9142ed265

    • SHA1

      99ade1bf5a28865c51e89b58971f17a2bf815187

    • SHA256

      41cc6dbe14e3c58d4d0f7a21da2f610f44af575ec10976b9ed5f2b747373d4e7

    • SHA512

      5f1a97bc8b062f66b9f76bc603c8e68962b876eff6a511f60f8623f9ce554e5fae96ed6938b7cbdecf6610b64b77a03bcd48f5194c2a981be74ef2c318dc4914

    Score
    10/10
    hawkeyecollectionevasionkeyloggerspywarestealertrojan

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

      keyloggertrojanstealerspywarehawkeye

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

    • Target

      REACH_ST.BAT

    • Size

      489KB

    • MD5

      e151d6912989eea1ed5f7fb70d24bd0d

    • SHA1

      1e7a5887f6da7929e33d97f6c068ab26f6c5017f

    • SHA256

      9d16660c6cbee0c09d8046e43cec9523ca047f7478723c7e04a255c644794c6e

    • SHA512

      22e7561a8050c8c2b58f56fff47c5e279ce9c3330dad3f2969bff4776250ef29fff84e5270da0bf01c9fb752367f6e64dcc2bc2eefdb40c99d17ad7995f9cf4b

    Score
    10/10
    agentteslaevasionkeyloggerspywarestealertrojancollection

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

      collection

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral5behavioral6

    • Target

      TEMPLATE.BAT

    • Size

      487KB

    • MD5

      a4b9cb78deefd62d30d2f21e65fe8c7a

    • SHA1

      55820f96071437f08f6ea4e656a0497e71292916

    • SHA256

      99b2d9e790cfb597b01a934bcf113cd6675f4a5ef260da57ef2a86d68ecbc1b2

    • SHA512

      770d4dd21e674ac88922b42fc2d5e5eda4fb4c58cb9daf04f8396932505da5ddf05c67719d326f01cb244349b244fd896cc2142c01fdf6aecc71bf87ded76da0

    Score
    10/10
    matiexevasionkeyloggerstealer

    • Matiex

      Matiex is a keylogger and infostealer first seen in July 2020.

      stealerkeyloggermatiex

    • Matiex Main Payload

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral7behavioral8

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

4
T1053

Scripting

1
T1064

Persistence

Scheduled Task

4
T1053

Privilege Escalation

Scheduled Task

4
T1053

Defense Evasion

Virtualization/Sandbox Evasion

8
T1497

Scripting

1
T1064

Credential Access

Discovery

Query Registry

20
T1012

Virtualization/Sandbox Evasion

8
T1497

System Information Discovery

16
T1082

Peripheral Device Discovery

4
T1120

Lateral Movement

Collection

Email Collection

3
T1114

Exfiltration

Command and Control

Impact

Tasks