General
-
Target
sus.zip
-
Size
4.9MB
-
Sample
230812-yxcwpaea79
-
MD5
8110f2e3c815b8f7d454c9c65c19207d
-
SHA1
562a81cc36846b962df36ae3a39d836bc30a7233
-
SHA256
6da86b8451913c8d646bbb704b4ac7eae173ae56cb5ffaec7eaccea014b7beff
-
SHA512
2c7c46d3094eb8fdb2d0703b2ea3a44c723ad32e6cd8fbbd294bcf937f024b3be694d6ad6a9d29afdf563465375b699102ca200677a38eb86cc153ad4f4a39be
-
SSDEEP
98304:24+lmGEy1+ChhSZ35VFnZ8ndIMUntl1iL3ENTeMTNnNPRp8UX8KKKkOstbpdWGMp:2ZhkZ35VFZ8KPn1IcTlNJ78yz7kPbUug
Behavioral task
behavioral1
Sample
sus.zip
Resource
win10-20230703-en
Malware Config
Extracted
amadey
S-%lu-
45.9.74.70/2BfwEn6KgTm/index.php
3.88/2BfwEn6KgTm/index.php
Extracted
agenttesla
Protocol: smtp- Host:
mail.dangrigalanddevelopers.bz - Port:
587 - Username:
[email protected] - Password:
dlddevelopers20177 - Email To:
[email protected]
Extracted
formbook
4.1
oy30
rfc234.top
danielcavalari.com
elperegrinocabo.com
aryor.info
surelistening.com
premium-numero-telf.buzz
orlynyml.click
tennislovers-ro.com
holdmytracker.com
eewapay.com
jaimesinstallglass.com
damactrade.net
swapspecialities.com
perfumesrffd.today
salesfactory.pro
supportive-solutions.com
naiol.com
khoyr.com
kalendeargpt44.com
web-tech-spb.store
lodjireal.online
ultraflooringmore.com
iwantbundles.com
theroofer.lat
qwxry.fun
faserfreunde.com
body-for-living.com
welnessfit.com
clublucky.store
nlast.cyou
gkoders.com
okxmttwa.click
nodesofty.com
alemania-paredes.com
travel-insuranceprice.shop
thechaay.com
formulavsupplements.com
gstringtheory.com
ruopenai.com
evi-based.com
danleugers.com
lojinhaevelyn.com
denzaimivsem.buzz
izmn2vd8.click
asliy.top
kawitrack.com
brandiai.com
ssssne.com
asianewsgood.online
proloop.work
dhikaedwina.com
onemarinallc.com
realmpabq.com
boswells.biz
jpxiaoxi.top
ishirink.com
thundershorts.com
rainydayroofs.com
atatra.com
hftroi.xyz
fundamentplus.com
gsvaedpzugtdn.com
mic-reform.info
vacuumbagsuppliers.com
gaoxiba150.com
Targets
-
-
Target
sus.zip
-
Size
4.9MB
-
MD5
8110f2e3c815b8f7d454c9c65c19207d
-
SHA1
562a81cc36846b962df36ae3a39d836bc30a7233
-
SHA256
6da86b8451913c8d646bbb704b4ac7eae173ae56cb5ffaec7eaccea014b7beff
-
SHA512
2c7c46d3094eb8fdb2d0703b2ea3a44c723ad32e6cd8fbbd294bcf937f024b3be694d6ad6a9d29afdf563465375b699102ca200677a38eb86cc153ad4f4a39be
-
SSDEEP
98304:24+lmGEy1+ChhSZ35VFnZ8ndIMUntl1iL3ENTeMTNnNPRp8UX8KKKkOstbpdWGMp:2ZhkZ35VFZ8KPn1IcTlNJ78yz7kPbUug
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Chaos Ransomware
-
Detect Neshta payload
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Formbook payload
-
Modifies boot configuration data using bcdedit
-
Blocklisted process makes network request
-
Disables Task Manager via registry modification
-
Deletes itself
-
Drops startup file
-
Executes dropped EXE
-
Modifies system executable filetype association
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Sets desktop wallpaper using registry
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Change Default File Association
1Scheduled Task/Job
1