General
-
Target
a.zip
-
Size
832B
-
Sample
230917-1kqywsfc99
-
MD5
10e578867faad166dc6a8f3868cef2f4
-
SHA1
f541fab60d482834e90638c5aebdefe3d997174e
-
SHA256
6fe03f61ee89f37688356f14ee8dc2d0c001e0d43281fad29386270a9c71c92c
-
SHA512
38389b61e71eed9a9587900f60d59c145d070d0e02602f473c284befcd4898b1191f1982e71463c9cbe17ea36f4ec6c17d665f072e730981eae00fd805863114
Malware Config
Extracted
redline
Invoice
147.124.213.118:50826
Extracted
xworm
3.0
topics-junior.at.ply.gg:45283
-
install_file
explorer.exe
Extracted
smokeloader
up3
Extracted
amadey
3.83
http://5.42.65.80/8bmeVwqx/index.php
-
install_dir
207aa4515d
-
install_file
oneetx.exe
-
strings_key
3e634dd0840c68ae2ced83c2be7bf0d4
Extracted
redline
@Black_Santa21
94.142.138.4:80
-
auth_value
5a06838de858adf9064d7d2c59f0d1f6
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Extracted
redline
0305
185.215.113.25:10195
-
auth_value
c86205ff1cc37b2da12f0190adfda52c
Extracted
nanocore
1.2.2.0
thecookieisthere.duckdns.org:8209
b60838e1-f181-4bc5-939a-25e80b7d7815
-
activate_away_mode
true
-
backup_connection_host
thecookieisthere.duckdns.org
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2023-06-25T10:41:59.706866036Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
8209
-
default_group
Cookie
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
b60838e1-f181-4bc5-939a-25e80b7d7815
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
thecookieisthere.duckdns.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Extracted
agenttesla
Protocol: smtp- Host:
mail.aaparts.co.in - Port:
587 - Username:
[email protected] - Password:
aaplamb1234 - Email To:
[email protected]
Extracted
stealc
http://171.22.28.221
-
url_path
/5c06c05b7b34e8e6.php
Targets
-
-
Target
a.zip
-
Size
832B
-
MD5
10e578867faad166dc6a8f3868cef2f4
-
SHA1
f541fab60d482834e90638c5aebdefe3d997174e
-
SHA256
6fe03f61ee89f37688356f14ee8dc2d0c001e0d43281fad29386270a9c71c92c
-
SHA512
38389b61e71eed9a9587900f60d59c145d070d0e02602f473c284befcd4898b1191f1982e71463c9cbe17ea36f4ec6c17d665f072e730981eae00fd805863114
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Detect Fabookie payload
-
Detect Xworm Payload
-
Fabookie
Fabookie is facebook account info stealer.
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload
-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
-
SectopRAT payload
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Stealc
Stealc is an infostealer written in C++.
-
Xworm
Xworm is a remote access trojan written in C#.
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Executes dropped EXE
-
Uses the VBS compiler for execution
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-