Overview

overview

10

Static

static

10

Threats.zip

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Threats.zip

  • Size

    198.9MB

  • Sample

    231107-a4wqdagh8y

  • MD5

    5531fa3d683438d9be9b6e188b982bc6

  • SHA1

    f2519749c63255116cc7c504ee5fd614896546de

  • SHA256

    cf704d2a78521cb10affd3324aa84c2fcb3818da32ab8ae9a05b298f9cdf3176

  • SHA512

    85bf738f5a5d8c5cf01cb2de70322e4c94167bcc300d880a46b8d1ea25f8963ef460143c19223fa91ecf3669636701ba97c416e029f6781375644878f0f31b8e

  • SSDEEP

    3145728:EBRHVJvKCSZKO1bt5dVqsvB7heBlyIb4R6Xq7DpAlAR8bpWBZInYQnIs:GNy5J5dcme3Urpb0eyYA

Score
10/10
agentteslaprivateloaderraccoonsmokeloadersnakekeyloggersocelarsstealczgrat5ba094fed1175cc7d1abb03fa165c23cpub3aspackv2backdoorkeyloggerloaderspywarestealertrojanupxvmprotect

Malware Config

Extracted

Family

raccoon

Botnet

5ba094fed1175cc7d1abb03fa165c23c

C2

http://79.137.207.53/

Attributes
  • user_agent

    901785252112

xor.plain

Extracted

Family

privateloader

C2

http://45.133.1.107/server.txt

pastebin.com/raw/A7dSG1te

http://wfsdragon.ru/api/setStats.php

51.178.186.149

http://45.133.1.182/proxies.txt

45.133.1.60
Attributes
  • payload_url

    https://vipsofts.xyz/files/mega.bmp

Extracted

Family

socelars

C2

http://www.iyiqian.com/

http://www.hbgents.top/

http://www.rsnzhy.com/

http://www.znsjis.top/

Extracted

Family

stealc

C2

http://robertjohnson.top

Attributes
  • url_path

    /e9c345fc99a4e67e.php

rc4.plain

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    peruglobo.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    YSw&oCV&c23w

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.hhipune.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    c@c1r2e3

Extracted

Family

smokeloader

Botnet

pub3

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://peruglobo.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    YSw&oCV&c23w

Targets

    • Target

      Threats.zip

    • Size

      198.9MB

    • MD5

      5531fa3d683438d9be9b6e188b982bc6

    • SHA1

      f2519749c63255116cc7c504ee5fd614896546de

    • SHA256

      cf704d2a78521cb10affd3324aa84c2fcb3818da32ab8ae9a05b298f9cdf3176

    • SHA512

      85bf738f5a5d8c5cf01cb2de70322e4c94167bcc300d880a46b8d1ea25f8963ef460143c19223fa91ecf3669636701ba97c416e029f6781375644878f0f31b8e

    • SSDEEP

      3145728:EBRHVJvKCSZKO1bt5dVqsvB7heBlyIb4R6Xq7DpAlAR8bpWBZInYQnIs:GNy5J5dcme3Urpb0eyYA

    Score
    10/10
    agentteslasmokeloaderstealcpub3aspackv2backdoorkeyloggerspywarestealertrojanvmprotect

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • Downloads MZ/PE file

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Executes dropped EXE

    • Uses the VBS compiler for execution

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks