General
-
Target
Cyber Security Support.exe
-
Size
22MB
-
Sample
230609-eevh8sbf3z
-
MD5
8452fe515826ab6f43eff16918a40e32
-
SHA1
64859677fd830793f787fa87c7b29f75883da5cd
-
SHA256
49d03705739faacb94c8025aaa432597d309fe96026c97ea4f0412bbf09f7a2e
-
SHA512
6429fa27c63290a777ab6836e7e97b552afdf396a505876fef068929af3da40be01eb505809e4e5bcbb8421ee401439e14a345854b6a17b8ffa8f43375728994
-
SSDEEP
393216:KOTMIRuiduUzRK3oMS6smRo6SxIM/L/JUH6eBkpH1ed/cViEZs1e4Vj5NnExjuwM:Fg1Oo4WsmRorIMbJUHmpVPiE29XnExjg
Static task
static1
Behavioral task
behavioral1
Sample
Cyber Security Support.exe
Resource
win10v2004-20230221-en
Malware Config
Extracted
Protocol: smtp- Host:
mail.grad-vodice.hr - Port:
587 - Username:
marija.bilac@grad-vodice.hr - Password:
pKs9zy8Nn1
Extracted
cobaltstrike
http://47.236.19.63:443/9Avm
-
user_agent
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MANM; MANM)
Extracted
cobaltstrike
391144938
http://47.236.19.63:443/load
http://47.236.19.63:443/j.ad
-
access_type
512
-
beacon_type
2048
-
host
47.236.19.63,/load
-
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
polling_time
60000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC77iD7GYDOhb9ygs4RVakaD7sOXWZC+dZVhZOZPGtUEHFQf63LQpM6CXg+ELJatjhVObHenvBRznPMaEGmxjcWBCaMNqJ3cjWal0tCjGKHphpwMqnwePc2Zl9vIZaWlke/cuCwtDsniLP6xVDTKmY2lOiXbDWTOz7fnlpSJb5I1QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/submit.php
-
user_agent
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
-
watermark
391144938
Extracted
agenttesla
Protocol: smtp- Host:
mail.grad-vodice.hr - Port:
587 - Username:
marija.bilac@grad-vodice.hr - Password:
pKs9zy8Nn1 - Email To:
triangleshpk@skiff.com
Targets
-
-
Target
Cyber Security Support.exe
-
Size
22MB
-
MD5
8452fe515826ab6f43eff16918a40e32
-
SHA1
64859677fd830793f787fa87c7b29f75883da5cd
-
SHA256
49d03705739faacb94c8025aaa432597d309fe96026c97ea4f0412bbf09f7a2e
-
SHA512
6429fa27c63290a777ab6836e7e97b552afdf396a505876fef068929af3da40be01eb505809e4e5bcbb8421ee401439e14a345854b6a17b8ffa8f43375728994
-
SSDEEP
393216:KOTMIRuiduUzRK3oMS6smRo6SxIM/L/JUH6eBkpH1ed/cViEZs1e4Vj5NnExjuwM:Fg1Oo4WsmRorIMbJUHmpVPiE29XnExjg
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-