Extracted

• • Target

    (电-子-发-票）.exe

  • Size

    36KB

  • MD5

    928c43415fa08992ecf34e90db8c2a5b

  • SHA1

    b2bd43ff4005bce6d39fad9d8bf2c2f25a89f37c

  • SHA256

    e9cc6d34b4e20a11e3af01182672a0ca71d111d1b89d73fc8584a5534d491d7e

  • SHA512

    d1c847fbf19e5d7661ff90b365decc25142de94304c812c016719948901586378909d28424bb388f904f01b072f7840758d6baa4e75a7f857799333acab7976d

  • SSDEEP

    384:4krtyExpPhFmSkkuJ0EKtU/lOgDTp4nuHD80sApEQDeT6lF:jVh93umEeUcgDTWujtP

  Score

  10^/10

  gh0stratevasionratupx

  • Gh0st RAT payload

  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Downloads MZ/PE file

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Loads dropped DLL

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2

• • Target

    Dekont,pdf.exe

  • Size

    220KB

  • MD5

    3f1c97d2f5200204e711e812b63b2b99

  • SHA1

    b7edbc37fd17d4b1d890ffa5565b548f4aebb40e

  • SHA256

    45a156f54da1d261e560ed2ebfd861aca470562ccca7878f44421de8089c224e

  • SHA512

    05893ea315eab2e08dfbc8d8cdf1edcfe9086ac48e02c9ebc02e3319eb7901e0097ecaf2156275773f47dce332a7d4274bbb596ae1763cde78bd1e55e7a25131

  • SSDEEP

    6144:fYYUtx+U3w8fg7Mv2D7mtGB8BHVQ+zJcM/PA6gLnqI:fFUt4eq+2Xmto8BjF9AuI

  Score

  10^/10

  agentteslacollectionkeyloggerspywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Accesses Microsoft Outlook profiles

    collection

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral3behavioral4

• • Target

    资金账户对账单导出.com

  • Size

    6.7MB

  • MD5

    3856a53ca2dca3c535746c194c7afb1d

  • SHA1

    89b3c74be1520a0932fed53e783212fe092641cc

  • SHA256

    7086ed025a5c4089495785a51fc9685e853e780eee24a1fefe695d486f0066a1

  • SHA512

    85d4b667f670deeb48d5d782965be8c7a06bb236d4db31373b93ec2379d78c6b67add6f88c0240d14bf91b8e728f167ebbf99299df1bb4be246eeebaa4e960c8

  • SSDEEP

    196608:LCj744gpV+cTnIknHCdzRFY4Mx53wOOj7Wl:LCjUfdbxnHcznY4M33TI

  Score

  10^/10

  fatalratinfostealerrat

  • FatalRat

    FatalRat is a modular infostealer family written in C++ first appearing in June 2021.

    infostealerratfatalrat

  • Fatal Rat payload

    ratinfostealer

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral5behavioral6