General

  • Target

    sus.zip

  • Size

    4.9MB

  • Sample

    230812-yxcwpaea79

  • MD5

    8110f2e3c815b8f7d454c9c65c19207d

  • SHA1

    562a81cc36846b962df36ae3a39d836bc30a7233

  • SHA256

    6da86b8451913c8d646bbb704b4ac7eae173ae56cb5ffaec7eaccea014b7beff

  • SHA512

    2c7c46d3094eb8fdb2d0703b2ea3a44c723ad32e6cd8fbbd294bcf937f024b3be694d6ad6a9d29afdf563465375b699102ca200677a38eb86cc153ad4f4a39be

  • SSDEEP

    98304:24+lmGEy1+ChhSZ35VFnZ8ndIMUntl1iL3ENTeMTNnNPRp8UX8KKKkOstbpdWGMp:2ZhkZ35VFZ8KPn1IcTlNJ78yz7kPbUug

Malware Config

Extracted

Family

amadey

Version

S-%lu-

C2

45.9.74.70/2BfwEn6KgTm/index.php

3.88/2BfwEn6KgTm/index.php

Extracted

Family

agenttesla

Credentials

Extracted

Family

formbook

Version

4.1

Campaign

oy30

Decoy

rfc234.top

danielcavalari.com

elperegrinocabo.com

aryor.info

surelistening.com

premium-numero-telf.buzz

orlynyml.click

tennislovers-ro.com

holdmytracker.com

eewapay.com

jaimesinstallglass.com

damactrade.net

swapspecialities.com

perfumesrffd.today

salesfactory.pro

supportive-solutions.com

naiol.com

khoyr.com

kalendeargpt44.com

web-tech-spb.store

Targets

    • Target

      sus.zip

    • Size

      4.9MB

    • MD5

      8110f2e3c815b8f7d454c9c65c19207d

    • SHA1

      562a81cc36846b962df36ae3a39d836bc30a7233

    • SHA256

      6da86b8451913c8d646bbb704b4ac7eae173ae56cb5ffaec7eaccea014b7beff

    • SHA512

      2c7c46d3094eb8fdb2d0703b2ea3a44c723ad32e6cd8fbbd294bcf937f024b3be694d6ad6a9d29afdf563465375b699102ca200677a38eb86cc153ad4f4a39be

    • SSDEEP

      98304:24+lmGEy1+ChhSZ35VFnZ8ndIMUntl1iL3ENTeMTNnNPRp8UX8KKKkOstbpdWGMp:2ZhkZ35VFZ8KPn1IcTlNJ78yz7kPbUug

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Chaos

      Ransomware family first seen in June 2021.

    • Chaos Ransomware

    • Detect Neshta payload

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Formbook payload

    • Modifies boot configuration data using bcdedit

    • Blocklisted process makes network request

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

    • Disables Task Manager via registry modification

    • Deletes itself

    • Drops startup file

    • Executes dropped EXE

    • Modifies system executable filetype association

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Sets desktop wallpaper using registry

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks