Resubmissions
17-11-2023 19:12
231117-xwf2aaeb6w 1013-11-2023 20:48
231113-zlyjpafe33 1011-11-2023 00:27
231111-asanrsce88 1026-10-2023 01:21
231026-bqq4eaae92 1017-10-2023 19:09
231017-xt332ahd24 1014-10-2023 18:16
231014-wwjlqsgc23 1008-10-2023 21:51
231008-1qgmeagc31 1003-10-2023 17:46
231003-wckppaed21 10General
-
Target
New Text Document.exe
-
Size
4KB
-
Sample
231113-zlyjpafe33
-
MD5
a239a27c2169af388d4f5be6b52f272c
-
SHA1
0feb9a0cd8c25f01d071e9b2cfc2ae7bd430318c
-
SHA256
98e895f711226a32bfab152e224279d859799243845c46e550c2d32153c619fc
-
SHA512
f30e1ff506cc4d729f7e24aa46e832938a5e21497f1f82f1b300d47f45dae7f1caef032237ef1f5ae9001195c43c0103e3ab787f9196c8397846c1dea8f351da
-
SSDEEP
48:6r1huik0xzYGJZZJOQOulbfSqXSfbNtm:IIxcLpf6zNt
Static task
static1
Malware Config
Extracted
Protocol: smtp- Host:
mail.bretoffice.com - Port:
587 - Username:
[email protected] - Password:
}&HF=G!r!_eA
Extracted
agenttesla
Protocol: smtp- Host:
mail.bretoffice.com - Port:
587 - Username:
[email protected] - Password:
}&HF=G!r!_eA - Email To:
[email protected]
Targets
-
-
Target
New Text Document.exe
-
Size
4KB
-
MD5
a239a27c2169af388d4f5be6b52f272c
-
SHA1
0feb9a0cd8c25f01d071e9b2cfc2ae7bd430318c
-
SHA256
98e895f711226a32bfab152e224279d859799243845c46e550c2d32153c619fc
-
SHA512
f30e1ff506cc4d729f7e24aa46e832938a5e21497f1f82f1b300d47f45dae7f1caef032237ef1f5ae9001195c43c0103e3ab787f9196c8397846c1dea8f351da
-
SSDEEP
48:6r1huik0xzYGJZZJOQOulbfSqXSfbNtm:IIxcLpf6zNt
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect ZGRat V1
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Downloads MZ/PE file
-
Stops running service(s)
-
.NET Reactor proctector
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Executes dropped EXE
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Uses the VBS compiler for execution
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-