General
-
Target
2020-07-20.zip
-
Size
347.3MB
-
Sample
230724-haylwaag65
-
MD5
712b5aa5e08566a0f01a0a39418d6132
-
SHA1
91349082a104f862b531278769f3d0c587244fc0
-
SHA256
18fcb8604dc88c010d786be917f618a461876f5db6f80f1f8a64bc3b8fe48a98
-
SHA512
12642ecf4ebc7be19bd78b5b18d4a283ce5d7008eaa616dcc962e9fd21a083bb59821f72995843a8884fd1e6722a74da1461dea6bb49e789b4bf7b4fcb019016
-
SSDEEP
6291456:7EC9ko9Z5jyHn8ly4KT5uOXAKcXPAANTaqWXmhN0pxn+UeXiGf9dHh2hWFr40VCn:7E09Z5mc4FcfAAvhWpxnoLf9dHZxVQrz
Malware Config
Extracted
sodinokibi
$2a$10$MN/9PlT2MnK8i7UVjwbr0ep8gPm9H4sNOFD0lcgzoH4.2q72IHSkK
4710
coastalbridgeadvisors.com
comparatif-lave-linge.fr
thomasvicino.com
colorofhorses.com
nacktfalter.de
global-kids.info
xoabigail.com
cursoporcelanatoliquido.online
brawnmediany.com
importardechina.info
plastidip.com.ar
higadograsoweb.com
wari.com.pe
blgr.be
mastertechengineering.com
d2marketing.co.uk
littlebird.salon
geekwork.pl
101gowrie.com
beyondmarcomdotcom.wordpress.com
-
net
true
-
pid
$2a$10$MN/9PlT2MnK8i7UVjwbr0ep8gPm9H4sNOFD0lcgzoH4.2q72IHSkK
-
prc
encsvc
steam
intuit
mspub
tbirdconfig
^MSExchange.*$
ocssd
isqlplussvc
wordpa
agntsvc
sqbcoreservice
sql
mydesktopservice
^store$
mydesktopqos
dbeng50
msaccess
xfssvccon
onenote
winword
^qb.*$
infopath
thebat
ocomm
synctime
ntdbsmgr
^Microsoft.Exchange.*$
oracle
thunderbird
^store.exe$
-
ransom_oneliner
All of your files are encrypted! Find {EXT}-readme.txt and follow instructions
-
ransom_template
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
-
sub
4710
-
svc
mepocs
vss
backup
veeam
sql
sophos
svc$
memtas
Extracted
nanocore
1.2.2.0
dera118.hopto.org:7031
185.140.53.135:7031
harolds.ooguy.com:6051
harold.2waky.com:6051
4ca1922c-b93c-4fb2-826c-d0806938edcc
-
activate_away_mode
true
-
backup_connection_host
185.140.53.135
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-04-30T22:08:05.557339036Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
7031
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
4ca1922c-b93c-4fb2-826c-d0806938edcc
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
dera118.hopto.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Extracted
sodinokibi
$2a$10$DNoARQjmlusPylr6hH6sDuMN4xmQbhpYUWfKtAGJzvnUBouo7OgnC
4874
educar.org
chrissieperry.com
bookspeopleplaces.com
itelagen.com
craftleathermnl.com
testzandbakmetmening.online
bordercollie-nim.nl
kidbucketlist.com.au
lubetkinmediacompanies.com
vorotauu.ru
presseclub-magdeburg.de
siluet-decor.ru
xtptrack.com
buymedical.biz
panelsandwichmadrid.es
body-armour.online
makeurvoiceheard.com
lapinvihreat.fi
fannmedias.com
americafirstcommittee.org
-
net
true
-
pid
$2a$10$DNoARQjmlusPylr6hH6sDuMN4xmQbhpYUWfKtAGJzvnUBouo7OgnC
-
prc
tbirdconfig
isqlplussvc
firefox
powerpnt
mydesktopservice
dbeng50
thunderbird
agntsvc
mydesktopqos
sql
ocomm
encsvc
synctime
ocautoupds
mspub
xfssvccon
winword
steam
sqbcoreservice
msaccess
visio
infopath
excel
dbsnmp
oracle
wordpad
outlook
ocssd
thebat
onenote
-
ransom_oneliner
All of your files are encrypted! Find {EXT}-read-me.txt and follow instuctions
-
ransom_template
---=== Welcome Churchill Corporate Services Inc., IT Vortex LLC, Nest Seekers LLC ===--- [+] Whats Happen? [+] Your internal network has been penetrated. Your files are encrypted with strong military algorithm, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). Also, all your business info copyed to our servers. Personal data of your patient and business contacts extracted. If you do not take action to contact us, the data will be published fo free access everyone. As soon as we receive the payment, all data will be deleted from our servers. [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Contact with us in chat on website. You have 3 days. If you need more time to make a decision and collect money for payment - inform the support chat about this. [+] How will the decryption process proceed after payment? [+] After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files. Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
-
sub
4874
-
svc
memtas
sophos
mepocs
vss
veeam
backup
svc$
sql
Extracted
asyncrat
0.5.7B
Default
172.94.47.80:4411
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
sodinokibi
$2a$10$R6jfdY.02Ns/TL60z.A74O5Dw8.5EqXA63YzUP5X2NSO0l.4y0Gfa
1428
firstpaymentservices.com
krcove-zily.eu
softsproductkey.com
naturavetal.hr
corelifenutrition.com
leda-ukraine.com.ua
beaconhealthsystem.org
acomprarseguidores.com
extraordinaryoutdoors.com
mardenherefordshire-pc.gov.uk
stopilhan.com
triggi.de
anteniti.com
aunexis.ch
boosthybrid.com.au
bee4win.com
gadgetedges.com
tandartspraktijkheesch.nl
8449nohate.org
simoneblum.de
-
net
true
-
pid
$2a$10$R6jfdY.02Ns/TL60z.A74O5Dw8.5EqXA63YzUP5X2NSO0l.4y0Gfa
-
prc
excel
mydesktopservice
sqlwriter
ocomm
powerpnt
oracle
mydesktopqos
ocautoupds
ocssd
encsvc
mysqld_opt
msaccess
visio
agntsvc
winword
sqlservr
tbirdconfig
wordpad
xfssvccon
msftesql
firefoxconfig
dbsnmp
onenote
thunderbird
outlook
isqlplussvc
dbeng50
mspub
thebat64
sqbcoreservice
-
ransom_oneliner
All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions
-
ransom_template
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
-
sub
1428
-
svc
vss
mepocs
veeam
svc$
backup
sophos
memtas
sql
Extracted
sodinokibi
$2a$10$umiybwuiiY9i8r8VBXSOi.CXsHbB0Zx3GSd8GbYRag9aFCNsAJ43i
3979
lorenacarnero.com
resortmtn.com
haremnick.com
allentownpapershow.com
idemblogs.com
toreria.es
boldcitydowntown.com
teczowadolina.bytom.pl
faroairporttransfers.net
rushhourappliances.com
mediaclan.info
digi-talents.com
xtptrack.com
bridgeloanslenders.com
gopackapp.com
rimborsobancario.net
almosthomedogrescue.dog
forestlakeuca.org.au
tenacitytenfold.com
theapifactory.com
-
net
true
-
pid
$2a$10$umiybwuiiY9i8r8VBXSOi.CXsHbB0Zx3GSd8GbYRag9aFCNsAJ43i
-
prc
thunderbird
oracle
onenote
ocomm
msaccess
xfssvccon
sqbcoreservice
isqlplussvc
mspub
dbeng50
ocautoupds
agntsvc
mydesktopqos
steam
excel
mydesktopservice
thebat
synctime
powerpnt
wordpad
ocssd
encsvc
tbirdconfig
winword
sql
infopath
dbsnmp
visio
firefox
outlook
-
ransom_oneliner
All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions
-
ransom_template
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
-
sub
3979
-
svc
mepocs
svc$
veeam
sophos
memtas
backup
sql
vss
Extracted
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
Everest10
Extracted
Protocol: smtp- Host:
mail.qnm.sg - Port:
587 - Username:
[email protected] - Password:
qandmshuqing1!
Extracted
formbook
4.1
hkn
nickherbal.info
desenlicoraplar.com
logo8023.com
gta5.ltd
surgicalmind.com
sigmanautomotive.com
theophileblog.com
wallaborate.com
ottawatotalfootcare.com
theusacoupons.com
lagharha.com
393351u.info
letthemeatcakeny.com
imgoingtohellgame.com
lovedovesbeauty.com
cheapsalenow.com
prodigynebula.win
suzhoucheckmate.com
splashautopark.com
lieflokken.com
Extracted
Protocol: smtp- Host:
mail.flood-protection.org - Port:
587 - Username:
[email protected] - Password:
musa2424@
Extracted
warzonerat
158.69.115.206:5200
Extracted
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
[email protected] - Password:
IZmBVEm3
Extracted
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
[email protected] - Password:
js}$_IlwF1q4
Extracted
https://conferencesdiary.com/wp-content/uploads/templates/qjwwq.png
https://www.cornink.com/wp-content/templates/dzsttm.png
https://otcpress.aliencyb.org/wp-content/ttt/yhoskmc.png
Targets
-
-
Target
1b7f039e2beb71993aa281ed8137e45b1b9708531b54e3b46d347baa3cc6fc67.exe
-
Size
898KB
-
MD5
02cc74d9cac7d52bf1c63c43f017bcee
-
SHA1
3ac771f8343e45ac63b5802535d179b2f574532c
-
SHA256
1b7f039e2beb71993aa281ed8137e45b1b9708531b54e3b46d347baa3cc6fc67
-
SHA512
98f15f8de33757d52d408690880eb7c2425274433ca9c0c315edb7451b73a701f0aa02012c04d9b0fb7392e7b986ae01a87acb40b94a9bb7fdd59da9e4e9c646
-
SSDEEP
24576:QIhzYOPW2rEloDwdMRHP4/LBmf74RWoJ:wOzrsocdMRv4/LW74RWoJ
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
1bc393e569289b6d134bec11c9898225745d2348a8a297bf5fcb3c73a64c385e.exe
-
Size
878KB
-
MD5
9dcf195dc26fcbddd145ad670b055f03
-
SHA1
b274a3cb51b3c2b0caf34d202ee04e6b261e138e
-
SHA256
1bc393e569289b6d134bec11c9898225745d2348a8a297bf5fcb3c73a64c385e
-
SHA512
a2ca33f230e9df6227e33b889bfae20f654d2281c5a880f94c4e4e911b3c00901edceab2021e61bceaff86d92d525330f5e50c4a649b00fc4fa9bed7fcf43b65
-
SSDEEP
12288:FuybJQ1q9I6/kldSCGDykct0hiYeyoGBIqpTh2e1h1nUiZdmWVsQmood+ik4g8yX:FuEQOPWkhxNt2ChayAWOQmUrEloD
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-
-
-
Target
1d25e50b1c8cefb11b2ecc991be88c017d2cea828110f855e031da595684ceaf.exe
-
Size
1.1MB
-
MD5
f69261837f9da67ec44f9162d322b7ba
-
SHA1
953f07ea48032eab7dbfb0ba4eb27c323678694e
-
SHA256
1d25e50b1c8cefb11b2ecc991be88c017d2cea828110f855e031da595684ceaf
-
SHA512
ae982649b499c4a779d304c77db55ffce2da2b5ef0618ff9b32e640edcb5e892bbd8bedfada32a51449f245a4f566bcb7e98c7e40672863dda52a3a1ec8026c7
-
SSDEEP
12288:ZuN51q9I6/kldSCGDyaod+ik4g8y3SoDOqvFR/CFFeY+qwBzn5D8:ZuN5OPW2rEloDOqvCFFdcv
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-
-
-
Target
1d9b74bfd7d922cfd20bc8197eb35c39ac6d4ed60b918b83133feb4ea7973c93.exe
-
Size
893KB
-
MD5
fc244b1c847df436078ad4be6fc87b31
-
SHA1
fe3e0ecfd542f62e35b4ff70820d927b4bb16bb6
-
SHA256
1d9b74bfd7d922cfd20bc8197eb35c39ac6d4ed60b918b83133feb4ea7973c93
-
SHA512
98bf67fb3d7a79c9b635f2ca591408cf5d1c65731bd79c26da9d6a381ed7fcf1acaf7123135de9402c022b43257d69342bc291e460b98ea35a4b901ea1685316
-
SSDEEP
12288:WZaKM/1q9I6/kldSCGDyaod+ik4g8y3SoDSNgk6u+IKlw7xGJk4xmHLOXOiuSJ:WZnM/OPW2rEloDCgk6gKSdJ4xAaln
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-
-
-
Target
1e62a268e2511720e6cbf0f77780e3147ca2d060d75118d5e0984e3059593829.exe
-
Size
771KB
-
MD5
4268fdc3799323a843475051fd6ad542
-
SHA1
706fdecf6cbb860b890742db3e9dbe239662703e
-
SHA256
1e62a268e2511720e6cbf0f77780e3147ca2d060d75118d5e0984e3059593829
-
SHA512
e7ed63a123748a52ab642999c01aaa231a78300555caa84ae1630f7316c32112e601951d8e3dd30297457914707d0bbbbc0a89425a67dbdb4526cc1f60ec0c41
-
SSDEEP
12288:SpxEDrQY5EvoFzhlmTS1i4jkkg52CKRC8fZ9GPJOe+TZmQ0Cnek3egKE0+qSEH:Ca8voVOIObYfZoke+TMQTneZuCH
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-
-
-
Target
1ed6220c4999b159446756990086fc270642dcba035ed1ea45126e3dd081c0b1.exe
-
Size
788KB
-
MD5
ca6d30a939bf00eaf7a43f4934a0ab6f
-
SHA1
11fa35bc832f707f2dfd9474a1ca6fe129510a91
-
SHA256
1ed6220c4999b159446756990086fc270642dcba035ed1ea45126e3dd081c0b1
-
SHA512
c719cd814849fe4b1da5d3ae5f04c002b8f100a6923a880bd71a8c4e5ae4d02faac99f8ed33e02de8199858bf3b016463b8bfcc4b774fd37533e73ddbd35ad85
-
SSDEEP
12288:bOLg1O1q9I6/kldSCGDysmYN/1uXaj63uANpyqHsbwod+ik4g8y3SoD:bOE1OOPWsmYxutXusrEloD
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-
-
-
Target
1ee2d1e645387a169bdc6a904e47b6a2546e4d34546733b4aedb7bb22371f90a.exe
-
Size
369KB
-
MD5
9b9299a298cd430f1e542bac8c4ffb57
-
SHA1
835f1b99fa84f225dc0f45c2f70357422389346c
-
SHA256
1ee2d1e645387a169bdc6a904e47b6a2546e4d34546733b4aedb7bb22371f90a
-
SHA512
c70a79c2cabd0ec2dbf670b8d0d9675fb197b80ab2b22f6cd7fc9b4339980cfc0f2873459c84ce7ee551005fee0af33b97e659f5f09b8b7bc2122bf6b8eef365
-
SSDEEP
6144:vBSqCcN/gMjjHnfVS/mnH5P4qrJCvNSu0MomGsUs6fcsXh5C/Br3osvnP:5SbciM3fVDPP8Nw6BWcsXO3osvP
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-
-
-
Target
1f7f6ca2d7c0431e07e974158a6e23129fdc19994f687be71daa68aa82b4510a.exe
-
Size
723KB
-
MD5
b659d359a6fafaf7954c78199552852e
-
SHA1
027ce3b08fe9c0c47114d6711fb26551eba96a72
-
SHA256
1f7f6ca2d7c0431e07e974158a6e23129fdc19994f687be71daa68aa82b4510a
-
SHA512
6699fc5fa65b322edb6ea59062b36deb2a33e481c608a49503c24d3479d7a1feed07ddcefdd9987e9943b5999125148c9330a1717db4f1e10a7377d4a6ef5689
-
SSDEEP
12288:Duc81q9I6/kldSCF3/86K+/YpJ6zFJpXZDyaod+ik4g8y3SoD:Duc8OM/8l+/2JW/JW2rEloD
Score10/10-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Formbook payload
-
Suspicious use of SetThreadContext
-
-
-
Target
1f9c6d71f4eba009486692e8734d2ed0ac586ad0310811c8e938985bc0385e5a.exe
-
Size
791KB
-
MD5
08cb38a1274abadd3f605e9f7239ca56
-
SHA1
8bb01a3786d714baef32cb3cb412f63509cdfd7a
-
SHA256
1f9c6d71f4eba009486692e8734d2ed0ac586ad0310811c8e938985bc0385e5a
-
SHA512
2d758ff01a15207ef2dcaf53bed258622a8e2a5d3ff04eb60b0568fa9f9e9540b3c40381e382a92c18709decec5a2c57d1f40f099e119e0a4a549faf3d9bd557
-
SSDEEP
12288:fOn811q9I6/kVdSC0DyKSN2L1RzqR54SGtCAXru4Ngdgevovc4od+ik4g8ylSoD:fO81udWK0s/zqRyUj2KrtkrE3oD
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-
-
-
Target
20573eab37017ad0c5ad37228fdcc5e6f5c64dddbb275f50ee4dcc8dc3d43145.exe
-
Size
643KB
-
MD5
e61dffb557266167a4b9c244c8c8a699
-
SHA1
7e0b819ba7163f7837a5fedb9d4f0cf28050a02b
-
SHA256
20573eab37017ad0c5ad37228fdcc5e6f5c64dddbb275f50ee4dcc8dc3d43145
-
SHA512
4bc7d31c2b701eb6350c8eb14f9b7c9e9671482d487962474f8ea061b8bd7bac27165321e4837880ff7a103e9c32ae2c74f135daf43847f9e5748969c7b0a1f6
-
SSDEEP
12288:Cu3dK1q9I6/kldSCcSplYstzDyaod+ik4g8y3SoD:CuNKO/SvDzW2rEloD
Score10/10-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-
-
-
Target
20d1c1183762918f8077963504cb6971ff65352a34197d534a4d40fe68e0c97d.exe
-
Size
872KB
-
MD5
cb55913897674cdaf13edb11d97d2425
-
SHA1
780496e20b9b74ac0e17caa982ec7a73410fe54e
-
SHA256
20d1c1183762918f8077963504cb6971ff65352a34197d534a4d40fe68e0c97d
-
SHA512
aa230dc3134e5b7e7bd4b275cb6ad6f71ff3ab16161b8ddfcaa45c28e37914228580dd6dc30415801d18fd19f1e7a96b7f8723f0d216e352c1385537e3b26003
-
SSDEEP
12288:cTWVcMpDPv1q9I6/kldSCGDyaod+ik4g8y3SoDSXL8d8TZnIZZpYb/WTzVP/ZlBJ:cIrbvOPW2rEloDe/IZie9nZl+
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-
-
-
Target
20e0fb805bd4501e8361c68b8a2ab67fced87ebfd25c9012e42d38aa83a4bd2e.exe
-
Size
887KB
-
MD5
bf576defe9067ebe5ef8fcecf2728988
-
SHA1
6baeb98f1ba0e1e4c99cba0a4b8306a4efd43bf7
-
SHA256
20e0fb805bd4501e8361c68b8a2ab67fced87ebfd25c9012e42d38aa83a4bd2e
-
SHA512
3a432f8091464bfc5b236c6722c7b4ef7166edf8a6e6dc070473655a5656e4f3ab36fbebdf2972876de1899a4438359601b081d71e5dafd72bf7fa41f73a73c6
-
SSDEEP
12288:9BT52LD2q1q9I6/kVdSC0Dycod+ik4g8ylSoDgRKlcHV72reaYJVBfc1Qmsi7Fkb:fT52LKqudWYrE3oDgIk3amVBfcCmsW
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-
-
-
Target
2122f46b7744ea7cabea57095f4cdcbcdcf176232cfae669e7119c5bd607bf53.exe
-
Size
924KB
-
MD5
24948fffedf100ae5717a597279f2bd0
-
SHA1
9682d3b718238fbc682d45cb66f67927a65ff584
-
SHA256
2122f46b7744ea7cabea57095f4cdcbcdcf176232cfae669e7119c5bd607bf53
-
SHA512
a229bf77de9ddf1c9dd99c6bb24f6ddf21c782ca3a19488b921fba8fd36eaba1d4930d9e27176b63ee09a3843473d09a06acd6c367270abd58a80c3de136d4d9
-
SSDEEP
12288:e6SlCKDiW1q9I6/kldSCGDyDg24xUMmFIDHmekod+ik4g8y3SoDpbBj0pV:bSwK5OPWUyCH1wrEloDptA
Score10/10-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Checks whether UAC is enabled
-
Suspicious use of SetThreadContext
-
-
-
Target
21550d2e10232016be388e50579cb7767f0e6c3e2283bab6b4e552077eee834f.exe
-
Size
610KB
-
MD5
0f2515f54b09c63412fd214557c39d67
-
SHA1
3a22fe57b5d082138cb0dcf70a787332a2970724
-
SHA256
21550d2e10232016be388e50579cb7767f0e6c3e2283bab6b4e552077eee834f
-
SHA512
e7425b3b8b1455d1d3c2985c794601039ff0588438a13a4ada2ecce9c9597d1f33370bac23e06b2d85bee8cd1cf6d36b4451d7a95be51ce24761c21c7e7a90b3
-
SSDEEP
12288:pfJ7x4QBRXFrrbbVgNK/rwEiOsHK2OHGCMlUdLgqqqLqqqquqqqwqqqLqqqqaqqw:FJVLFXbuGrwTOsHSGCnaqqqLqqqquqqI
Score10/10-
HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
235041460fe585e7438589fc41e393df65545cb735907908eaaa4103d1564f03.exe
-
Size
845KB
-
MD5
effea511a4db1847bf104df4470e5b06
-
SHA1
ce111a8c18d2dbc8fb9c80db1d737f3610b1aa5c
-
SHA256
235041460fe585e7438589fc41e393df65545cb735907908eaaa4103d1564f03
-
SHA512
a61aa12cf938033c63816c7102e29fb2a74e516bd845a423205ef650e1beeeaae04fcf40a8d9057b11518fc1bf486d9522919ac646d3a3bd8ab7eba552c955b8
-
SSDEEP
24576:mSGE0FpCqi/Uv7XtIONwzLduiE1RP0G886D:mSCwZ87XtRytEytD
Score10/10-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger Main payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
2356c0cbe09585e025c3fdfae9a004c20f3f4d9d0ff4a89d5add85974f0afade.doc
-
Size
181KB
-
MD5
5f894602e88263e34dcdbb2eb2da3078
-
SHA1
c4b7c33fd3ff360cee29eaa67705dc79e4a24fdb
-
SHA256
2356c0cbe09585e025c3fdfae9a004c20f3f4d9d0ff4a89d5add85974f0afade
-
SHA512
7c5c71e599c360e43e134e0a0982bf36a1c1503956b4b72654bac8777d5cfb2417602db88fe225ef53f4b674ac22d187c951cd3519cbd628527c8880ea63cff1
-
SSDEEP
1536:fe/zONq+YIv920aPPg8cmg8/TtMO80mlop3KGyIs+aiyLZMcj0TCYkd3gPdz1TW2:WoVBaPPg87gi8Bo7OwTkxmz1Cz/ptM
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
An obfuscated cmd.exe command-line is typically used to evade detection.
-