General
-
Target
4a0d61fe2000566f8b688d18681c0b5a.bin
-
Size
1.1MB
-
Sample
230928-bw5hzsfc5x
-
MD5
cb9e62f216ed950f8effbe1211ae2fd4
-
SHA1
92f61a90ab04a27dbd8fe920278875749241bc3a
-
SHA256
17919c10342911398375390d8eff6f416ac0b28291289a087f512b86fa5f48c8
-
SHA512
d7713a3c57a29b00c7f5d8adc1d055ca741977cca086a80877f53d611dc381226aad14b00f7299ac3128b8b0af93f3a9a2f74455cce3517970ec0aedceb6966e
-
SSDEEP
24576:qpgRE0cOZYbxJpdPv1JH567/tR4HrSt0aGKD4nkmuPl3pU2pIplZP:qEZadPde7/j4HxaGKD4kLhpU2pIXZP
Static task
static1
Behavioral task
behavioral1
Sample
a5511e15b015d02f9475da2875c37dcdacdda81793f2324fe5d61d487187aa8c.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
a5511e15b015d02f9475da2875c37dcdacdda81793f2324fe5d61d487187aa8c.exe
Resource
win10v2004-20230915-en
Malware Config
Extracted
Protocol: smtp- Host:
mail.royalcheckout.store - Port:
587 - Username:
[email protected] - Password:
esubwDViXlQ2@@##
Targets
-
-
Target
a5511e15b015d02f9475da2875c37dcdacdda81793f2324fe5d61d487187aa8c.exe
-
Size
1.3MB
-
MD5
4a0d61fe2000566f8b688d18681c0b5a
-
SHA1
c473e7bafd6351cb8f1870eadb73316cd5cb5e91
-
SHA256
a5511e15b015d02f9475da2875c37dcdacdda81793f2324fe5d61d487187aa8c
-
SHA512
a9c84b0af7497ad780302583e2b6dc1c438451e18259fd25be4d3267b4a8125a6c31860017aba83879f8a703aaefbfd331ae63016468976f86572c2be7f248be
-
SSDEEP
24576:s3yIf2H3CSfGxoBYocM4D8Ss5kHb291wOQO+XvnzHhMTfU8+LxD3Fwp:sF2HtfGyBxAm5S6m7mT+1F
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Snake Keylogger payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-