General
-
Target
HSBC payment receipt confirmation.exe
-
Size
302KB
-
Sample
230403-pnxp3agc2x
-
MD5
ec5df44a36001e9f2200fd7fff14924f
-
SHA1
8d2022e732d1e5f6ac485b5109126bb36bc84e23
-
SHA256
caf7cfc2d3a76c442c36aa41e192ade5c4da13e51000b8f2746cc0ced8f4e0a1
-
SHA512
5787b6b2ce2f3e36d4f37100bb01af1236d386c96c9ecb5e457210db9d4fd16369c1b2248552bf919d1b8cbc0e607e64485d13566769e001bfdeb7b164dd05d6
-
SSDEEP
6144:+OGfqDye3NCT8yGjm04y0O12udoEUAybGMVxI:+OmiCgD4wldEKMVxI
Static task
static1
Behavioral task
behavioral1
Sample
HSBC payment receipt confirmation.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
HSBC payment receipt confirmation.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
warzonerat
91.192.100.10:11011
Extracted
Protocol: smtp- Host:
mail.mondistar.ro - Port:
587 - Username:
[email protected] - Password:
MondiStar@2018!
Extracted
agenttesla
Protocol: smtp- Host:
mail.mondistar.ro - Port:
587 - Username:
[email protected] - Password:
MondiStar@2018! - Email To:
[email protected]
Targets
-
-
Target
HSBC payment receipt confirmation.exe
-
Size
302KB
-
MD5
ec5df44a36001e9f2200fd7fff14924f
-
SHA1
8d2022e732d1e5f6ac485b5109126bb36bc84e23
-
SHA256
caf7cfc2d3a76c442c36aa41e192ade5c4da13e51000b8f2746cc0ced8f4e0a1
-
SHA512
5787b6b2ce2f3e36d4f37100bb01af1236d386c96c9ecb5e457210db9d4fd16369c1b2248552bf919d1b8cbc0e607e64485d13566769e001bfdeb7b164dd05d6
-
SSDEEP
6144:+OGfqDye3NCT8yGjm04y0O12udoEUAybGMVxI:+OmiCgD4wldEKMVxI
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-