General
-
Target
c46ee625d9626c6583f1129a66c6044d50ae10ba95fec689e13646a0278afbe0
-
Size
1.3MB
-
Sample
220521-cl4pdahbcq
-
MD5
52f8f77ad3645ad1ff87f005b6a8fc14
-
SHA1
a47251a438dbbf3db0d80d760748b51dcb3222a0
-
SHA256
c46ee625d9626c6583f1129a66c6044d50ae10ba95fec689e13646a0278afbe0
-
SHA512
8bcd7f7bbc89dfcce696d7ade3c8776b9d5ae6162c012361a999ecb241d6a4d38e5efa4536d51397180000c6c5bbb122c06a732e029c5fad6d08fffaffd4e0e5
Static task
static1
Behavioral task
behavioral1
Sample
BV10013(Rev A).scr
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
BV10013(Rev A).scr
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
Packing.scr
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
Packing.scr
Resource
win10v2004-20220414-en
Behavioral task
behavioral5
Sample
me.scr
Resource
win7-20220414-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
z123456789ok
Extracted
formbook
4.1
hha
atarairdive.com
binanca.com
krepostta-sofia.com
chiangmaipartys.com
bestglobalseo.com
rdsri.com
immaginaeventi.com
lushrox.com
kenderia.com
goldenbrownacademy.com
kiddyquest.com
cs-support.online
magicovino.com
banderasacuadros.com
originalducatispareparts.com
tfpfleet.com
wickedmaple.com
fasypeoplesearch.com
zggwpmwdcp.com
boav11.com
development88.com
naturestourssrilanka.com
fertycc.info
messenger-marketing.biz
gloucesterchauffeurs.com
gdhawell.com
paymejo.com
preparedtrafficupdates.win
youpinpuzi.com
gweneldor.tech
110408.info
19mosaics.com
radyoajanda.net
photographyhere-now.com
clickoncr.com
safeenamedia.com
jh3.tech
darinsfault.net
jbrwcfn.com
trandway.com
copecafe.net
mansourmall.com
chiyodaku-fudosan.com
idealgrphics.com
coldwardecor.com
airfan-video.com
mfash.info
zebrometer.com
hummingbirdindustries.info
buylasvegasluxury.com
blondsthlm.com
guggenheimre.com
savethewoodie.info
museumscreens.com
goodplacelotto.com
snackans.com
estimergia.com
laacia.life
swtsthotel.com
btcass.com
thewatchknight.com
bangladesherkhobor.net
sulphurinsatisfaction.com
casa-rural-cadiz.com
yofdyk.com
Targets
-
-
Target
BV10013(Rev A).scr
-
Size
656KB
-
MD5
208671e3fc9131fb1f9d0676d58ec5a8
-
SHA1
307bfd08bf763e3a8d099e9819b694aa8dfe945b
-
SHA256
1ac93b118f2f6facc20288611532e4f0f898967e262a6c9cea66bc2da07ad732
-
SHA512
a4bb8cd5ae82e6bce6cd8815dddc64c18b76c44725c3629666c08c08fde15ec4a96da7971b74aad2abebd7b40291dae8da3d6e969910cc39d807d2410f1e26f6
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-
-
-
Target
Packing.scr
-
Size
566KB
-
MD5
aca270dcb0654e6e0480cb2287934969
-
SHA1
9167e147f41f53736531e3e0791774caeab74341
-
SHA256
a17afb19461b7a3a23576250e3fe3a3970afa5a143167fe97e97aeadcd9705d4
-
SHA512
dc97a0bf6805b1ec1354c2c035dcbfef70a3c8634eab335dcbedb76831a6dab5e441fab3b52f5a09a51855ff242354df69d48840858e02f818fe0c7114afa5e1
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-
-
-
Target
me.scr
-
Size
502KB
-
MD5
6b693ec92fa73a62acad9332bbf4b00e
-
SHA1
b80dc9288fd45bb5db01c98a100e57bbc0da1570
-
SHA256
d7740644db0391caebce4ec75e92a95062eb29b65cf118815907ae1a291421a1
-
SHA512
09b3ce7c75f1ce37133d7f9e6d4a487f28ec3b7ebfa67e66db300414d08bc366c74b3c87fc8267fa85a8237489ddfa781fe4d4fe48ebacf80ff8e2225d4d6d53
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Formbook Payload
-
Adds policy Run key to start application
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-