General
-
Target
be1b63ef6abc588245cdf4f346b26154.bin
-
Size
1.1MB
-
Sample
230928-csezlagg38
-
MD5
b6b679419b45c9ea5f806839d5cdedc0
-
SHA1
d3eaffab303175334ba1cdc18378c253afdfea32
-
SHA256
13c54364914485de5ca3a77b68c91d7827bf4b54118265d5a5d241f3063e3a10
-
SHA512
983f5fa55a3cecae199803a8e366e266dc27f2b6487ddceba6c7d19544974f8182431a5208ec0d6e497e950019da8a00d4bf3fe53c77c658a4229be3fbf812be
-
SSDEEP
24576:y2k9OUV+2RlOZTTDvq/dXakajQl7/rrrRUBjP3iTnnK5JCii/L:RQV+0lITny/Vl77RUJAnnK5JCii/L
Static task
static1
Behavioral task
behavioral1
Sample
323f7a2c28d21f7098817977c3854be91f379cb2791fbc5504d6c3342fb163ac.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
323f7a2c28d21f7098817977c3854be91f379cb2791fbc5504d6c3342fb163ac.exe
Resource
win10v2004-20230915-en
Malware Config
Extracted
Protocol: ftp- Host:
ftp.royalcheckout.store - Port:
21 - Username:
[email protected] - Password:
575K5(MaZro2575K5(MaZro2
Extracted
Protocol: smtp- Host:
mail.royalcheckout.store - Port:
587 - Username:
[email protected] - Password:
575K5(MaZro2575K5(Ma
Targets
-
-
Target
323f7a2c28d21f7098817977c3854be91f379cb2791fbc5504d6c3342fb163ac.exe
-
Size
1.3MB
-
MD5
be1b63ef6abc588245cdf4f346b26154
-
SHA1
f67ee49fa9fb286bcd47e0b3dfcf758c320b7694
-
SHA256
323f7a2c28d21f7098817977c3854be91f379cb2791fbc5504d6c3342fb163ac
-
SHA512
b1dd770c40256f7013b1fd96b348d29720730cbce0366ac6445bf95e5924f6588ae65e7ab84e9100068d2886912fc7126240b41a8c42441a2dc0ab9fa1fb493b
-
SSDEEP
24576:DJaKfqD927EyXdyIA+T/QOb5zKPd+fDFBS8tzFr6iOhhRwQ35rmrfYYWThRhT:DJKk7EytyTiYuBnOhB3yYd1zT
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Snake Keylogger payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-