Overview

overview

10

Static

static

BV10013(Rev A).scr

windows7_x64

10

BV10013(Rev A).scr

windows10-2004_x64

10

Packing.scr

windows7_x64

10

Packing.scr

windows10-2004_x64

10

me.scr

windows7_x64

10

me.scr

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c46ee625d9626c6583f1129a66c6044d50ae10ba95fec689e13646a0278afbe0

  • Size

    1.3MB

  • Sample

    220521-cl4pdahbcq

  • MD5

    52f8f77ad3645ad1ff87f005b6a8fc14

  • SHA1

    a47251a438dbbf3db0d80d760748b51dcb3222a0

  • SHA256

    c46ee625d9626c6583f1129a66c6044d50ae10ba95fec689e13646a0278afbe0

  • SHA512

    8bcd7f7bbc89dfcce696d7ade3c8776b9d5ae6162c012361a999ecb241d6a4d38e5efa4536d51397180000c6c5bbb122c06a732e029c5fad6d08fffaffd4e0e5

Score
10/10
agentteslaformbookhhacollectionevasionkeyloggerpersistenceratspywarestealersuricatatrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.gmail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    z123456789ok

Extracted

Family

formbook

Version

4.1

Campaign

hha

Decoy

atarairdive.com

binanca.com

krepostta-sofia.com

chiangmaipartys.com

bestglobalseo.com

rdsri.com

immaginaeventi.com

lushrox.com

kenderia.com

goldenbrownacademy.com

kiddyquest.com

cs-support.online

magicovino.com

banderasacuadros.com

originalducatispareparts.com

tfpfleet.com

wickedmaple.com

fasypeoplesearch.com

zggwpmwdcp.com

boav11.com

Targets

    • Target

      BV10013(Rev A).scr

    • Size

      656KB

    • MD5

      208671e3fc9131fb1f9d0676d58ec5a8

    • SHA1

      307bfd08bf763e3a8d099e9819b694aa8dfe945b

    • SHA256

      1ac93b118f2f6facc20288611532e4f0f898967e262a6c9cea66bc2da07ad732

    • SHA512

      a4bb8cd5ae82e6bce6cd8815dddc64c18b76c44725c3629666c08c08fde15ec4a96da7971b74aad2abebd7b40291dae8da3d6e969910cc39d807d2410f1e26f6

    Score
    10/10
    agentteslacollectionevasionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

      collection

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      Packing.scr

    • Size

      566KB

    • MD5

      aca270dcb0654e6e0480cb2287934969

    • SHA1

      9167e147f41f53736531e3e0791774caeab74341

    • SHA256

      a17afb19461b7a3a23576250e3fe3a3970afa5a143167fe97e97aeadcd9705d4

    • SHA512

      dc97a0bf6805b1ec1354c2c035dcbfef70a3c8634eab335dcbedb76831a6dab5e441fab3b52f5a09a51855ff242354df69d48840858e02f818fe0c7114afa5e1

    Score
    10/10
    agentteslacollectionevasionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

      collection

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

    • Target

      me.scr

    • Size

      502KB

    • MD5

      6b693ec92fa73a62acad9332bbf4b00e

    • SHA1

      b80dc9288fd45bb5db01c98a100e57bbc0da1570

    • SHA256

      d7740644db0391caebce4ec75e92a95062eb29b65cf118815907ae1a291421a1

    • SHA512

      09b3ce7c75f1ce37133d7f9e6d4a487f28ec3b7ebfa67e66db300414d08bc366c74b3c87fc8267fa85a8237489ddfa781fe4d4fe48ebacf80ff8e2225d4d6d53

    Score
    10/10
    formbookhhapersistenceratspywarestealersuricatatrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata

    • Formbook Payload

      rat

    • Adds policy Run key to start application

      persistence

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral5behavioral6

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

2
T1053

Scripting

1
T1064

Persistence

Scheduled Task

2
T1053

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Scheduled Task

2
T1053

Defense Evasion

Virtualization/Sandbox Evasion

4
T1497

Modify Registry

3
T1112

Scripting

1
T1064

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

10
T1012

Virtualization/Sandbox Evasion

4
T1497

System Information Discovery

8
T1082

Peripheral Device Discovery

2
T1120

Lateral Movement

Collection

Email Collection

2
T1114

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks