Overview

overview

10

Static

static

10

037f80f7ee...46.exe

windows7-x64

3

037f80f7ee...46.exe

windows10-2004-x64

10

15e7399aea...b6.exe

windows7-x64

10

15e7399aea...b6.exe

windows10-2004-x64

10

18b4f16f04...7c.exe

windows7-x64

10

18b4f16f04...7c.exe

windows10-2004-x64

10

21d1163cd9...6e.exe

windows7-x64

10

21d1163cd9...6e.exe

windows10-2004-x64

10

26ef9e5b08...1a.exe

windows7-x64

10

26ef9e5b08...1a.exe

windows10-2004-x64

10

28cef7a303...ac.exe

windows7-x64

10

28cef7a303...ac.exe

windows10-2004-x64

32f2d7c0a6...0d.exe

windows7-x64

10

32f2d7c0a6...0d.exe

windows10-2004-x64

10

33d03025fe...fb.exe

windows7-x64

10

33d03025fe...fb.exe

windows10-2004-x64

10

35da8e30ae...fd.exe

windows7-x64

10

35da8e30ae...fd.exe

windows10-2004-x64

10

38e9939621...14.exe

windows7-x64

10

38e9939621...14.exe

windows10-2004-x64

10

43fbcbf411...dd.exe

windows7-x64

10

43fbcbf411...dd.exe

windows10-2004-x64

10

47d09683fc...a3.exe

windows7-x64

10

47d09683fc...a3.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    003.zip

  • Size

    6.6MB

  • Sample

    231101-se5wvsab3s

  • MD5

    105f87017ef0c8ae7f35a95e7711ba51

  • SHA1

    6348ba7d47679ee4bac641cc2b56753443d6e7f5

  • SHA256

    7c8aaa88dd30f1b0301e3aaf0da58cdea2dfa56c0eb3b35b68123ecdefdf59e9

  • SHA512

    2b6ff5b1a65eb20361e83451c3bd693aa3e92dcabb80f24b4ad0de8e43abec0f5f619f164c6d70d2d12615fb197193087e4f076a12c708dfab73e1232af6b462

  • SSDEEP

    196608:/MDm/sB+EViFEBf7ZNswi+DsK1NNmokqIhgOdvS:/MDmip7Zjic1NNylgOdvS

Score
10/10
agentteslapurecrypterzgratcollectiondownloaderkeyloggerloaderpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.1and1.es
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    elsecreto2019

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.nec-eg.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    #i!NeC0O&12

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.metalindus.cl
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    metalindus_2019

Targets

    • Target

      037f80f7eee792aa95886508fc3cf946.exe

    • Size

      491KB

    • MD5

      037f80f7eee792aa95886508fc3cf946

    • SHA1

      01a824ae5b084b68ea0adb18720d6c6c318ea363

    • SHA256

      7096865b32b903fa9cec066e310e02a337af3e16a1c504d24320879f15f85791

    • SHA512

      c1287d9ca62169334cce6002d212cc6a7be724fe565f342985a9ab732da174233fdc1c4c0eb2dca67fd7c2fc063b579b64a9af8ae01edfeca56724338540b200

    • SSDEEP

      12288:0Xy9hAFKE4WNEEGGi+nfs/3GXvPKy0/vi2p+wxpEtVjK+EvKRFn6PeMHf:d9/VsiukO/F0/v9+wxpEtVjK+EvKRFnW

    Score
    10/10
    agentteslacollectionkeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      15e7399aea87f41dcdc536b93452f3b6.exe

    • Size

      761KB

    • MD5

      15e7399aea87f41dcdc536b93452f3b6

    • SHA1

      ab65c8a4d6f1ee3a36b29c42178fd1cd3e59d3d3

    • SHA256

      8e42f5b252ac7d0ef6ab0985047472855d8bd76667bf62ca6f13d0a6c2cb6bdf

    • SHA512

      d043b18983aa0e940443901fe366a203e29d7f57052048d43ddcc41a3a91eab1e11c431b0cfa20dfdcd92e2cca6511773b20113b452c67d2e3525c14891435a6

    • SSDEEP

      6144:JzbGXY50DD9OGs84LP5j5pJJKbWYp3oSlzTPtVhb3W8gDsfii1tCVZS51SKiD+fE:F3gsF1HPgWab3WC1tGGSzD+fF4hRbe

    Score
    10/10
    agentteslacollectionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

    • Target

      18b4f16f04c2c21d6be60206341f337c.exe

    • Size

      858KB

    • MD5

      18b4f16f04c2c21d6be60206341f337c

    • SHA1

      4f6741b4059c3b72221e2bf85c20a85b7920f779

    • SHA256

      689da1b41af4cdc8b90eb21f861115688ffc44555d7a5c7de13b38e36f041c4a

    • SHA512

      c3e498860cdde07d1fa3311c9168142ff100f529430ebfc119e83c7f7831c01b01aa4cdb5604db4cb47ca284e9b0a594468f481e7196b0f4514c5babf1840059

    • SSDEEP

      12288:KwcvG73htU7/2eQ1x9lD9fxxZg9JIfJ2oiMlZWIRljyzAEuiQr9LjJhodEyOabBw:KwgG1tCueiLWJknmzIiQFkKU1S

    Score
    10/10
    agentteslazgratcollectionkeyloggerratspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Detect ZGRat V1

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral5behavioral6

    • Target

      21d1163cd9edb6ae1478f2695e70836e.exe

    • Size

      954KB

    • MD5

      21d1163cd9edb6ae1478f2695e70836e

    • SHA1

      1e18d438a23c0aa9ddf3df4eb81bc0a496e7b166

    • SHA256

      92e20368143782c5dcd729449a940ae0bd670adb81136a2430f58c8cc9762851

    • SHA512

      4cd9808622e15aec9f78f3cf3f8e84ea3ac53c8ced6f48ac8e08296fc90de4f4365d294fa0c7bd34d5453fabe2632955ce8fb1a69cf4df6e1619cc54feee2c57

    • SSDEEP

      12288:ADPWR28Le0cY+Yg9fb9ncA91c+yMBMWR7B0uFN5UQLQ9Z3htSWC9oF0MsLjmMj:Aj+xL9Rk9WA92+3uI7RNGQLchSWhsmA

    Score
    10/10
    agentteslazgratcollectionkeyloggerratspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Detect ZGRat V1

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral7behavioral8

    • Target

      26ef9e5b08e4464b71e644ae57362b1a.exe

    • Size

      721KB

    • MD5

      26ef9e5b08e4464b71e644ae57362b1a

    • SHA1

      fc0840cc0dcfcc94f9796619b07d4768e1902b44

    • SHA256

      2bed887fca5ae34bb249eb750e20b7542c9209a169745ad2bd9176618042f8ee

    • SHA512

      e14ffd07270c12a8720bd7db821997fec95f9fb1ee88d72e0a300ddb053a1b1ec90e8c1a28a43d7ba1f3fb2f1492c740aa23afe7a41277e423bcb12a93479c36

    • SSDEEP

      12288:V+J/M+Jhewx/NscEQ+vgXK1HsaP7s4L4Sb8tppC58XMxP+B+T/9BGcgTv2wv9Pnw:a/thewlqB6pm7ITpC52MxP+6/9BWz2ww

    Score
    10/10
    agentteslazgratcollectionkeyloggerratspywarestealertrojan
    behavioral10behavioral9

    • Target

      28cef7a30348b7605c3e20208c2f79ac.exe

    • Size

      228KB

    • MD5

      28cef7a30348b7605c3e20208c2f79ac

    • SHA1

      0eed34050f0e04757b46660365316d1ed1676fa4

    • SHA256

      667657cd3f5cde93cfedd17ce283ce3bec2c6f296c9350de87e8e57eadf71831

    • SHA512

      94f0aee84e6a80239840f9ae2337bf095f1ec074b4fc9a2093cc04c8df57ccab19eb437a26092c9251cec43d354c0e4e5458586a4f28360be55043710d4a19b3

    • SSDEEP

      6144:j03mjlC3YAM2xfSu0Wz66L7D9gL1tBBcQdH69nhaOq:A3Z3YT2FSuPz66LW1BcQdaDab

    Score
    10/10
    zgratrat

    • Detect ZGRat V1

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat
    behavioral11behavioral12

    • Target

      32f2d7c0a6af9eb96bc8a9f18a95250d.exe

    • Size

      2.6MB

    • MD5

      32f2d7c0a6af9eb96bc8a9f18a95250d

    • SHA1

      1f75de7f58f02640d65332cc6112fbe94e356699

    • SHA256

      277e24866f14e56d5579dad72d309676a55f8fb446085be4679cd42b61eee918

    • SHA512

      b8b9b102f746fd889b3a0a097c9fde9a82233c67a98252d8ab674089346310c8110e5017b12e5ee7662e1ef57ea0f41d85f588e25c13ecbcce9dc304f77fba63

    • SSDEEP

      24576:nFQ24ZXcZ+sVM/urmZVeVBIRZFP8T5MizxHW1mSNAvRI:nsm+RxzeVBmZd8ONAZ

    Score
    10/10
    agentteslacollectionkeyloggerspywarestealertrojanpersistence

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral13behavioral14

    • Target

      33d03025fe17acc835808ac3b82b43fb.exe

    • Size

      799KB

    • MD5

      33d03025fe17acc835808ac3b82b43fb

    • SHA1

      1de066d4dd3104f175b2b091314b5f629298168b

    • SHA256

      1b9a2dc6ca050349b9b0f180706742b64e734eb334c02afd87d7108eff1d4ec8

    • SHA512

      a6d2f1b8cfa8eea4ee621e7878462969f0267897f5fc96ec0621b26256ac6a26ba6e2fd272d1ead5a0f60f8b8b8e541eda7e42b5bc9c30d41057646217e3aa90

    • SSDEEP

      12288:bdr52iNoOe42KMu/N3mWhQmwmJCMpUei/Nw3ZlK6XKoXe5jvDXhWAIMH6oy+rNx8:Rd1mOV/NOa+Nw3G6vO53Ha0xBi

    Score
    10/10
    agentteslazgratcollectionkeyloggerratspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Detect ZGRat V1

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral15behavioral16

    • Target

      35da8e30ae0228adb64b7d7d67b661fd.exe

    • Size

      378KB

    • MD5

      35da8e30ae0228adb64b7d7d67b661fd

    • SHA1

      5093b8518f8034be477da24edefdd16368c2ce8a

    • SHA256

      5db75c246c2dd344ed0b0f4eae96c31479673451219cecaa2d70b26899bce9a8

    • SHA512

      a9027d39926b509139821e995a64e783ec3123ac972e3f40846d4b2b8456ea477fb559eb8e7c2789806eb8a7dad4d53b83f06276308825386516d7b4f7914a1d

    • SSDEEP

      6144:kVn8Y/2+3x5spUN1yY0zyZwoqn9onD4Epv:k58WhWmNEYOyix9onD4Eh

    Score
    10/10
    agentteslacollectionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral17behavioral18

    • Target

      38e99396218a743516d6f98352c43314.exe

    • Size

      997KB

    • MD5

      38e99396218a743516d6f98352c43314

    • SHA1

      712225fb82d9a1cb02fbe5655b11794e91ae7b04

    • SHA256

      41b323cfee2875100d254049b26207236646519d6ae00eaf8858d038aaa7121c

    • SHA512

      5ee823f2579c290e95bdae20fd41c8afb2c120ce73b7625965500ef17be00a3ab7217bfb4810a584a5d512536f7774056c9882b5dc15f3cf33b8afe8fc471983

    • SSDEEP

      12288:7k7QrYqwTg5XftSdvA8sXml4o0BQlnhBoHv+ye2vKilsCFqhcH2SAwL7YTmHyuqT:7kMegZlSKPVDQxKv+GXllghE55ITyNu

    Score
    10/10
    agentteslazgratcollectionkeyloggerpersistenceratspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Detect ZGRat V1

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral19behavioral20

    • Target

      43fbcbf4110bc9751de6c81fa49a57dd.exe

    • Size

      488KB

    • MD5

      43fbcbf4110bc9751de6c81fa49a57dd

    • SHA1

      cdab5b854f12d181d1ce8f577b1ff9eb42f647eb

    • SHA256

      4e2394dec0a47e2cfc48184dcff6f11a5ffb7f50bba2fa4b52427f94165087ca

    • SHA512

      4bae9f3c33c4c439516e7b1bc1aed2e4612fa832c5abeac60e3d68f36934bb0eb65a905fa4e676556a6f348fc90e75507b16159b42dba24e20df274aaaacd8e4

    • SSDEEP

      12288:0FojKAFFBf1Qrce4sDoPWRJ29arvP2VtO5K:01awEe722vPgt2K

    Score
    10/10
    agentteslazgratcollectionkeyloggerratspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Detect ZGRat V1

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral21behavioral22

    • Target

      47d09683fc102a85a7dea2516ca81fa3.exe

    • Size

      760KB

    • MD5

      47d09683fc102a85a7dea2516ca81fa3

    • SHA1

      f64cc824abd8804458c3f31f06c16d0bec9338dd

    • SHA256

      848ce511daf9046ab1ab3bed080d5c20bdeb3fd0bebc016fc3af70b892ebb5c9

    • SHA512

      eccff33ade27412be147d7f792ec150f79f0fba322cbf4a2befb46f615a71c578bd15c324c579fdbb9c377f221679cf4a04575c9f8f4814841346a244e80a2a6

    • SSDEEP

      12288:Ro7VntzJOQX040txZp8sNx2HExIWtWrnngnnnKnanxNY:u104SgWtWrnngnnnKnanxN

    Score
    10/10
    agentteslapurecryptercollectiondownloaderkeyloggerloaderpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Detect PureCrypter injector

      loader

    • PureCrypter

      PureCrypter is a .NET malware loader first seen in early 2021.

      loaderdownloaderpurecrypter

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral23behavioral24

MITRE ATT&CK Enterprise v15

Tasks

static1

zgrat
Score
10/10

behavioral1

Score
3/10

behavioral2

agentteslacollectionkeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral3

agentteslacollectionkeyloggerspywarestealertrojan
Score
10/10

behavioral4

agentteslacollectionkeyloggerspywarestealertrojan
Score
10/10

behavioral5

agentteslazgratcollectionkeyloggerratspywarestealertrojan
Score
10/10

behavioral6

agentteslazgratkeyloggerratspywarestealertrojan
Score
10/10

behavioral7

agentteslazgratcollectionkeyloggerratspywarestealertrojan
Score
10/10

behavioral8

agentteslazgratcollectionkeyloggerratspywarestealertrojan
Score
10/10

behavioral9

agentteslazgratcollectionkeyloggerratspywarestealertrojan
Score
10/10

behavioral10

agentteslazgratcollectionkeyloggerratspywarestealertrojan
Score
10/10

behavioral11

zgratrat
Score
10/10

behavioral12

Score
1/10

behavioral13

agentteslacollectionkeyloggerspywarestealertrojan
Score
10/10

behavioral14

agentteslacollectionkeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral15

agentteslazgratcollectionkeyloggerratspywarestealertrojan
Score
10/10

behavioral16

agentteslazgratkeyloggerratspywarestealertrojan
Score
10/10

behavioral17

agentteslacollectionkeyloggerspywarestealertrojan
Score
10/10

behavioral18

agentteslacollectionkeyloggerspywarestealertrojan
Score
10/10

behavioral19

agentteslazgratcollectionkeyloggerpersistenceratspywarestealertrojan
Score
10/10

behavioral20

agentteslazgratcollectionkeyloggerpersistenceratspywarestealertrojan
Score
10/10

behavioral21

agentteslazgratcollectionkeyloggerratspywarestealertrojan
Score
10/10

behavioral22

agentteslazgratcollectionkeyloggerratspywarestealertrojan
Score
10/10

behavioral23

agentteslapurecryptercollectiondownloaderkeyloggerloaderpersistencespywarestealertrojan
Score
10/10

behavioral24

agentteslapurecrypterdownloaderkeyloggerloaderpersistencespywarestealertrojan
Score
10/10