General

  • Target

    invoice_7_812937_pdf.ppam

  • Size

    40KB

  • Sample

    220923-hkr7vahdan

  • MD5

    0e53abb39e7f2e3a1fcfbd49dbebbb06

  • SHA1

    ceae24d2c19181149f97bd012df151824c92a509

  • SHA256

    c639cb71b586b5468a37ece7afc56c2b9653f15021a9ecc83e6428c744ac99b8

  • SHA512

    d46fecf342da7300640084199b9f9a8277f949b31aa8fb171cb1b272ce2b0f563c6d5de063642112a1de4f31f0c3f9783a45f499087ea5de400ec4ac0ea3a669

  • SSDEEP

    768:eARJ/c/lsTsK/n/Okf6R9/i/L2pdAVQuLPdYIhjtzCNKJAlFCgwZHyTZigXJ1/hB:eAXkt09fmj7ajvZqvzP/CoB91/K8NytQ

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

https://www.bndsafety.xyz/p/7.html

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    107.182.129.168
  • Port:
    21
  • Username:
    asasbvvryr7
  • Password:
    zxzxzmn

Targets

    • Target

      invoice_7_812937_pdf.ppam

    • Size

      40KB

    • MD5

      0e53abb39e7f2e3a1fcfbd49dbebbb06

    • SHA1

      ceae24d2c19181149f97bd012df151824c92a509

    • SHA256

      c639cb71b586b5468a37ece7afc56c2b9653f15021a9ecc83e6428c744ac99b8

    • SHA512

      d46fecf342da7300640084199b9f9a8277f949b31aa8fb171cb1b272ce2b0f563c6d5de063642112a1de4f31f0c3f9783a45f499087ea5de400ec4ac0ea3a669

    • SSDEEP

      768:eARJ/c/lsTsK/n/Okf6R9/i/L2pdAVQuLPdYIhjtzCNKJAlFCgwZHyTZigXJ1/hB:eAXkt09fmj7ajvZqvzP/CoB91/K8NytQ

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Remote System Discovery

1
T1018

Collection

Email Collection

1
T1114

Tasks