General
-
Target
5d86018377d9cf83e6e2c08fd9fd60d3.bin
-
Size
1.1MB
-
Sample
230928-b2bsvsgf38
-
MD5
69dfb06884612a034a0e76805e1f42a8
-
SHA1
370256179c6dc72547c5f4a95f004e1db45cb4ed
-
SHA256
e0b11452031eb50da413a54781c376ec6f5793a70786eb14dbb077355eae7e88
-
SHA512
6c935eb67de8fe11f78afbf9c90abc35eb9ec2eb6600df3a8bd0bab16a12b71b1eb6c02c1e11d96477ca437adb6d8917a3202b5e4726938e954290563877e630
-
SSDEEP
24576:SrK2n6n+XWtu0b8Cfny7ok1xJljHGCIQvvdU+4903eug0QHW:VmGtu0b8CvTk1x7aC3vvO+4C3en0j
Static task
static1
Behavioral task
behavioral1
Sample
1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe
Resource
win10v2004-20230915-en
Malware Config
Extracted
Protocol: smtp- Host:
mail.royalcheckout.store - Port:
587 - Username:
[email protected] - Password:
esubwDViXlQ2@@##
Targets
-
-
Target
1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe
-
Size
1.3MB
-
MD5
5d86018377d9cf83e6e2c08fd9fd60d3
-
SHA1
3ae1897f221aa5893f8aff0bfd79666f8ba2236f
-
SHA256
1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3
-
SHA512
d2ea45f5f6aa1561468ff5657d6b9cfc1fe3168621dde2706423cf26c12a8c5a0fa920275bc2a7294d341e39da71493975b0c4632701d4629966b1a058b52fb7
-
SSDEEP
24576:YkzJBUqX3qbkN6s2P2VElQJyNmXy76p7ZUgSb2H8KZ/L2zZnJf+MCFL3:YkNBH16sVOy0NmXIgSudT2teL
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Snake Keylogger payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-