General
-
Target
CaixaBank_ Documento de Pago_Pdf.iso
-
Size
1.2MB
-
Sample
230210-mxff2acb77
-
MD5
3a690161d2dffae3c9fa92af44297ebf
-
SHA1
3cd133fac221a812c5ba80b14fab68497d30d06d
-
SHA256
29d212f84a154cdc5f3d9427f03113e9681dee943963a9779f466ecadab0ed40
-
SHA512
b579f7fea122e28180c3ee084ac9e9133bfab4031340bcdf958a3773c66ebec5f7718a1a1456441a3161b21f351067dcc1cf09872bcab4eaffa4403342a4136d
-
SSDEEP
384:LQJn8SOHLPTDeUzpNGkrdwTXCZB9i3oN6anxOPz0GwJ3TDCYt/9QylTW:Mn8rLyUfi3yLDTVW
Malware Config
Extracted
purecrypter
http://superbtanzaniasafaris.com/zav/Qtpprpwy.bmp
Extracted
agenttesla
Protocol: smtp- Host:
mail.humanpower.vn - Port:
587 - Username:
[email protected] - Password:
xlA}CL.(Jj8C - Email To:
[email protected]
Targets
-
-
Target
CAIXABAN.EXE
-
Size
72KB
-
MD5
fe3ab924e1d37874593b376966d5440f
-
SHA1
9a6e8a32dbdac605421d987022f0bd12ed6fa415
-
SHA256
c6f61c3603ed074cec9af4cf5b6c4f56ef5d476e4cb06e21e5c1b313128b4e0d
-
SHA512
68c48f55f875dbd9781df595ffc2812b4e776a90a46d2e4ece114b079e3e0537d461f8da58947c4b9d029dfb5e3d30994861231d8e7280fc807a31e160dade0e
-
SSDEEP
384:o8SOHLPTDeUzpNGkrdwTXCZB9i3oN6anxOPz0GwJ3TDCYt/9QylTW:o8rLyUfi3yLDTVW
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-