Overview

overview

10

Static

static

10

Remittance...ce.exe

windows7-x64

10

Remittance...ce.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Remittance pos.invioce.img

  • Size

    58KB

  • Sample

    230601-mqvblsdg94

  • MD5

    e62321b20f052583be4d8f34fb979527

  • SHA1

    ea0e4804b69713c65dcd2427867a8b5d5ab150eb

  • SHA256

    ce7c3c09794ee39a804fc03c191aecbc30c6d96cdf8a87cad9d92a06a118883f

  • SHA512

    f9e288d177eed2dac3f5af1129afcabc6458d9e1a8dc7de73e89f5de14b100274e5dfecdf62cf79a2a0dfeb492820ceda68a040a3db38630eecc38231a982a1d

  • SSDEEP

    384:bdqwRdqw4kfwLZLbqLFr7dNET+t3S8qA:b4wR4wGdb2ZEanqA

Score
10/10
agentteslapurecryptercollectiondownloaderkeyloggerloaderspywarestealertrojan

Malware Config

Extracted

Family

purecrypter

C2

http://85.31.45.42/Dsgnow.dll

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.keefort.com.ec
  • Port:
    587
  • Username:
    ssg@keefort.com.ec
  • Password:
    u=Wa6eChU3nj
  • Email To:
    kaka@kingsamodin.com

Targets

    • Target

      Remittance pos.invioce.exe

    • Size

      8KB

    • MD5

      b400834d73b4a98fc9d7abf83a149a2b

    • SHA1

      8679b02dd6f9166152d1111374659c0639500043

    • SHA256

      1f5d7c12cd6c2ea7752258c06c20b68bde32d1a3ef6e647c3cf809e1283452f6

    • SHA512

      80fc4660b6e512093bb4e3753615b80bc09a092fc2852f932274e181303c756c8e6054c97b3d2139afad7d0128ae566b0772880e56660c83edaac67207e0703e

    • SSDEEP

      192:NgkfwL2sLMg+JLFr7dYeHkRW4zkXvvF3Hy8qgBG:qkfwLZLbqLFr7dNET+t3S8qA

    Score
    10/10
    agentteslapurecryptercollectiondownloaderkeyloggerloaderspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • PureCrypter

      PureCrypter is a .NET malware loader first seen in early 2021.

      loaderdownloaderpurecrypter

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks