General
-
Target
Threats.zip
-
Size
198.9MB
-
Sample
231107-a4wqdagh8y
-
MD5
5531fa3d683438d9be9b6e188b982bc6
-
SHA1
f2519749c63255116cc7c504ee5fd614896546de
-
SHA256
cf704d2a78521cb10affd3324aa84c2fcb3818da32ab8ae9a05b298f9cdf3176
-
SHA512
85bf738f5a5d8c5cf01cb2de70322e4c94167bcc300d880a46b8d1ea25f8963ef460143c19223fa91ecf3669636701ba97c416e029f6781375644878f0f31b8e
-
SSDEEP
3145728:EBRHVJvKCSZKO1bt5dVqsvB7heBlyIb4R6Xq7DpAlAR8bpWBZInYQnIs:GNy5J5dcme3Urpb0eyYA
Static task
static1
Malware Config
Extracted
raccoon
5ba094fed1175cc7d1abb03fa165c23c
http://79.137.207.53/
-
user_agent
901785252112
Extracted
privateloader
http://45.133.1.107/server.txt
pastebin.com/raw/A7dSG1te
http://wfsdragon.ru/api/setStats.php
51.178.186.149
http://45.133.1.182/proxies.txt
45.133.1.60
-
payload_url
https://vipsofts.xyz/files/mega.bmp
Extracted
socelars
http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.znsjis.top/
Extracted
stealc
http://robertjohnson.top
-
url_path
/e9c345fc99a4e67e.php
Extracted
Protocol: ftp- Host:
peruglobo.com - Port:
21 - Username:
[email protected] - Password:
YSw&oCV&c23w
Extracted
Protocol: smtp- Host:
mail.hhipune.com - Port:
587 - Username:
[email protected] - Password:
c@c1r2e3
Extracted
smokeloader
pub3
Extracted
agenttesla
Protocol: ftp- Host:
ftp://peruglobo.com - Port:
21 - Username:
[email protected] - Password:
YSw&oCV&c23w
Targets
-
-
Target
Threats.zip
-
Size
198.9MB
-
MD5
5531fa3d683438d9be9b6e188b982bc6
-
SHA1
f2519749c63255116cc7c504ee5fd614896546de
-
SHA256
cf704d2a78521cb10affd3324aa84c2fcb3818da32ab8ae9a05b298f9cdf3176
-
SHA512
85bf738f5a5d8c5cf01cb2de70322e4c94167bcc300d880a46b8d1ea25f8963ef460143c19223fa91ecf3669636701ba97c416e029f6781375644878f0f31b8e
-
SSDEEP
3145728:EBRHVJvKCSZKO1bt5dVqsvB7heBlyIb4R6Xq7DpAlAR8bpWBZInYQnIs:GNy5J5dcme3Urpb0eyYA
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Uses the VBS compiler for execution
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-