General
-
Target
eeff87f3b345b9b42f721cfdd82fa81e229c7599ef4a24d3af914e2740a7a44c
-
Size
9.3MB
-
Sample
231121-cfxc4sbe59
-
MD5
ae6cd2c2ce990089ec0f6014a0986433
-
SHA1
a6cf26043118691495ec030a0abb8b37de377226
-
SHA256
eeff87f3b345b9b42f721cfdd82fa81e229c7599ef4a24d3af914e2740a7a44c
-
SHA512
ad4e4414b4fdeb0d16796b0aa6c88f6a7a74241d18dcbd3d335cbb2c7dfb858adcda3e9a4cf26920e7f2dea288540ff91dfd059894ae45e7f37c822925fabe0d
-
SSDEEP
196608:yIm8Fn2M/119EnnLDBWht+7RGgWsu2zuxLXjJ:U8pdjuDE0B1zCXjJ
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.cesky-hosting.cz - Port:
587 - Username:
[email protected] - Password:
Luk7816& - Email To:
[email protected]
https://api.telegram.org/bot6820629737:AAGJ8tOkoD9jFHkd_L1kG1ntQ1J6zLhFsMc/
Extracted
cobaltstrike
987654321
http://51.250.16.184:443/ptj
-
access_type
512
-
beacon_type
2048
-
host
51.250.16.184,/ptj
-
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
polling_time
60000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCE7ugh8txn0RjoGMpJ2y9D5H3fRfMBMn9I5ory16pQmWqVe+b3aeNCblpPW2QL7TP5dvKX8h75NQBEQKllhzCceQ6mlj0YONAnaE/0SY+raRmAj3htAbrh1yaMwoIAcZuSZ09jwtnz22LLTHBFqY9qBtqkXB3mbaMqKTRmx973BwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/submit.php
-
user_agent
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)
-
watermark
987654321
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.experthvac.ro - Port:
21 - Username:
[email protected] - Password:
-8{jszMOY*Z8(~Za0#jyP%o7VoB.0)kk^)7_
Extracted
Protocol: smtp- Host:
smtp.cesky-hosting.cz - Port:
587 - Username:
[email protected] - Password:
Luk7816&
Extracted
Protocol: smtp- Host:
mail.magicframesuae.com - Port:
587 - Username:
[email protected] - Password:
sh@1213$$
Extracted
Protocol: smtp- Host:
mail.premiermotor.com.bn - Port:
587 - Username:
[email protected] - Password:
e3Q9hj?1
Extracted
lokibot
http://kelly.spencerstuartllc.top/_errorpages/kelly/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Extracted
xworm
5.0
162.212.154.8:41589
1fGBFdYzxtDnKgy4
-
Install_directory
%AppData%
-
install_file
OneDrive.exe
-
telegram
https://api.telegram.org/bot6875063177:AAG1OPJLZ36MPY8oqR1DVb1VHR2wOmnCudg/sendMessage?chat_id=2136313574
Extracted
limerat
-
aes_key
devil
-
antivm
false
-
c2_url
https://pastebin.com/raw/rPy10VvM
-
delay
3
-
download_payload
false
-
install
true
-
install_name
Windows Session Manager.exe
-
main_folder
AppData
-
pin_spread
false
-
sub_folder
\Windows\
-
usb_spread
false
Extracted
smokeloader
pub4
Extracted
smokeloader
2022
http://dpav.cc/tmp/
http://lrproduct.ru/tmp/
http://kggcp.com/tmp/
http://talesofpirates.net/tmp/
http://pirateking.online/tmp/
http://piratia.pw/tmp/
http://go-piratia.ru/tmp/
Extracted
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
[email protected] - Password:
cash@com12345
Targets
-
-
Target
231121-01-AgentTesla-4f4bd4.exe
-
Size
890KB
-
MD5
73af2b313925da0e49f1c99e1b51ec4b
-
SHA1
4f4bd4f230b2d2bc6f140d38f8c301a3264747a0
-
SHA256
bf91852588010cca4ca8aa2f419531df69a6e5454f471ebb2e862c17b99e5724
-
SHA512
1c7ab9854266a275376ce0134d356702749f6ce8168fee0301c8140867d30384c4f5521c1212c71aba2eea0cee3600bbe9bd6311ac721219acb52c46b1c3c6f7
-
SSDEEP
24576:ve4ucqeAete6Fnj5k359f5fHi/dkGxris1q:3ucN3Fnjw53exel
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-
-
-
Target
231121-02-AgentTesla-29ec4c.exe
-
Size
892KB
-
MD5
d0266195f92dfa86ce1d825ad775c33f
-
SHA1
29ec4ccdfce1cd453a3d300d15e943311d57dc17
-
SHA256
e16c1dfcd46162a057a38ddc99698d28e9da15d37d15cce27dd49b0411f95556
-
SHA512
00c51961e44b86ad944251c40b81931349420335d13cae04751caf42a2615fa44668414a51e210681f0f36737b17ddfbe8a04446db840eae36a00ec89bfec29b
-
SSDEEP
12288:5TpbeQHucvCeAeQseQwk29e4gmLYOGsEOcNDjAqT3TakqpKjRg3vULBwXAP7r9ry:re4ucqeAete/k2XGzOGDtdjRgM9sA1q
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-
-
-
Target
231121-03-SmokeLoader-a0e394.exe
-
Size
207KB
-
MD5
6c835499e8ebade8c55d0614223cfe59
-
SHA1
a0e394623b17662b04d0463680ca483dea121e3a
-
SHA256
b150b158d7dc445c348fffdb721f7c1a10f096482d2826ee455608f2061f6b63
-
SHA512
0842f1a7aed6e5e320dc8908505f7d898f97d6fab539b39c7ba491d6f7db06379b760de60a0c63bf1c684678c88b9af7069bdb339982e6ebbd8392a50dd1c45d
-
SSDEEP
3072:hIzbD9Hs7CwOJ+WnJpId4PcmB4KG8T0itVvtFpbvkdk:YpHSC/JLnwVmnT0itjbk
Score10/10-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself
-
-
-
Target
231121-04-AgentTesla-41c205.exe
-
Size
682KB
-
MD5
e1170fe494e6a857b4423a366207b811
-
SHA1
41c205dee65f1e2171919a1e1811d63f28ca1fa7
-
SHA256
147030ad2b34a1be1d22bf564cae6d2a858c37d9237d97e28050bf32dc8c5a40
-
SHA512
73165b97bb059da3cebac54ce1659dd13d21e7021aca5d32850bad91b85e47f802099b0e9bdc7665aa8eb16c776cfdba6d88867ed30ff6c5abc59e6e190d47a1
-
SSDEEP
12288:EeQXucvCeAeQseQKPJkSCzG8d7hq0vwS3RmF6qc96zXFSjwuaQzpccW0S2kZwh:Ee4ucqeAete9JkVzGC7hvvP3+6v9KXsM
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
231121-05-CobaltStrike-189129.exe
-
Size
445KB
-
MD5
55a2a2ed00af5ad078cc01c6d5cac721
-
SHA1
18912985bb58cdd9d8aa3a5350b1bece98b6cf95
-
SHA256
39747d1a1758ff38b273e15a048d448eee284b6e3e44c300af32bcef882e4471
-
SHA512
339be460116f9ee8ac859d932bf38e557bc165631c59757566504aea9e65e17d8dfed832634dd5416e893b2b10a02ab45be5528e05b2b2719939e93829bb89f2
-
SSDEEP
6144:Lki5i0SZgw9YzxA14ujYq1mFdBbfdkujCTxAxnMDtWaN1nFftfEpjYGNE7o4K:Lk3Fgw9YwmFd9q+yxAxMQoFftlan4
Score10/10-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
-
-
Target
231121-06-AgentTesla-b971a6.exe
-
Size
570KB
-
MD5
65edafe0dc5427f4cec4e29ad9cb18bc
-
SHA1
b971a6aaf0c0daa035d9186b9cc49e72a5fc9976
-
SHA256
e68f725f8d131c3cc5e5cbac5bc454cd9c1848039ee706c975262ef2073e75d3
-
SHA512
a0c4bb45bd0dfa245a13502f0e51758ca2ec878a9eeec3ec0b82cdb2125981bf0de89f07c84029360676149bb61476345a032c9338bf9a3e304ea4e9e4e6b8fe
-
SSDEEP
12288:bXHfGsaMlvWCwqLRtT34We8Op0UHUpIPEGWQAwna:bXHe8BLRtTn52EG5Awna
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-
-
-
Target
231121-07-AgentTesla-64b66a.exe
-
Size
235KB
-
MD5
791d17ad86fb3948afc5256a40479009
-
SHA1
64b66ad85555d341c4b968657b1f992c5b49e018
-
SHA256
4456ae2631c8ebf51a84c4dc5f4419c5ea636ee463a4fd5f1de95e092d4d3f19
-
SHA512
45cfd9c6e907ee492d39084b89e39d814de656c8b876f169a5a4e9cfd22aec896744f0ddf32837c4e97e62b40e7bd908803e8dd357c2f1e29ec059242e9497c5
-
SSDEEP
3072:9Rcf4UI8vkckuocfbh80Kt4TNQEIirxzQ3fj5xzMqS8Q:9qf4UI8vkckuzfb17ZrxzQ3fgqL
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
-
-
Target
231121-08-AgentTesla-d20084.exe
-
Size
244KB
-
MD5
d36d27c924ee1a3cb8ad056241a83000
-
SHA1
d20084d2fb07a684dbf3a951f46e92992d75bb46
-
SHA256
4243244e4efe7bdfde701d0b8847222ee88ce6587c92a3206b967beee790b352
-
SHA512
a44b2631ed5353f8bcca5a79ef11f013f0983416615cf8c3faeddf6d07e4ab18dfe24a4c2c9d92683aef9b57e06a873c2704bd516a3dbd6cca0f3d5abcb466f7
-
SSDEEP
6144:jdSwnaQY4QA8fJayvK0WhtNG5FgIq50RFIA8Vg:ZcQY4QA8fJayvIhejgIseFI
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
231121-09-AgentTesla-fbf7c4.exe
-
Size
247KB
-
MD5
2f879d56d9598e574c741396c5f756be
-
SHA1
fbf7c47229c56ccddbbd757e0f48eb0d45b5c68a
-
SHA256
488b5c24fae2c85b0e9d2c26cb85992d5fd7f0cec219a0a818d648a9890c491d
-
SHA512
371d504f33e86fb18643ed58577b1b31e11949d330abe7814340c82082787593cb07a377c3fb39ac40dc2569894fda164e88eaae50a8c51a74520a836a37bcae
-
SSDEEP
6144:fcIUpNx1hNkchYyWn1YGn6ou0KDJHZ2t:7UpNx1hNkchtWnOG9u0KDK
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
231121-10-AgentTesla-a77eec.exe
-
Size
682KB
-
MD5
c071299e1ba6c56f89ed021f525fc862
-
SHA1
a77eec03ccb9f7531d294215afe1394f3622bc66
-
SHA256
4d89869a7e7a654cb5ffd4a30465332edfe478d0d00d841145ef082bee50e632
-
SHA512
62d4c5fe00270bb7ab4b4446506b701128b86aa6aa371f63b95e1254221bcc73ccadd80194d1533f885a3cd1b5eb915ca09243e36a1612df68faf6961d81c889
-
SSDEEP
12288:TeQXucvCeAeQseQWVmKDBBHvpKstZ5QReF1FIWJtr8XQrDwdzDwVUubu8d:Te4ucqeAeterLVBPpKeZ5QKIWjcQnMDt
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
231121-11-AgentTesla-fe5abc.exe
-
Size
1.3MB
-
MD5
233f382c6f7e034b6588fdd07dae612e
-
SHA1
fe5abc8495a6bd9643bdabd9463a6d1800fd9f39
-
SHA256
ed414c5cd76f7735a701b3c734bc8b7fc0d21e2143eae7925e57451d49b256ea
-
SHA512
c769410f24d1ca59e3342190ad0d6468f6b6f006892b42d633998674821910ad09e5161e0b466d0f201406ed19ceb84d1a1d57661c9a4796183146b3e0d6f231
-
SSDEEP
12288:+FJyQvvYEoIkcGUdLJWsYdt41FoMUcj/0jFSbvcv2Y2XxRkz9BhnVH:+FJyjEoI/GUFJKdt41hLBc2x2JBhn
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Suspicious use of SetThreadContext
-
-
-
Target
231121-12-AgentTesla-68ee1d.exe
-
Size
680KB
-
MD5
e0e1e4aa472b0bcf592af108fcdf3766
-
SHA1
68ee1d50ac00f2955a64a706c11051fc0868ad52
-
SHA256
30c134a54ba31202c19aa3ae7ed6b246ad462b1b930e6c26aba0cb616da4ff05
-
SHA512
38224bf421bfdf22baee1778ff3b013f1399c0eeacd2c36c787de44a807e595eb35a7aed56ae7bbedd1931173a1d4f30905df812a451266f95507d58df012808
-
SSDEEP
12288:EeQXucvCeAeQseQGliPMg/VcrVE8xPvnv9884YYCydMqBFkg5wmc0Q9nqzBm1Vn:Ee4ucqeAete5WMQV7Onv9tYdu0/Gt
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
231121-13-AgentTesla-4c625e.exe
-
Size
577KB
-
MD5
4721986a88a38d500972e57da76ab6db
-
SHA1
4c625e44c38bcfa8fa264dc6f6ed681b591af667
-
SHA256
2feaaa1d5cd1e65708b153c9783e6b5eb66c03d6048ffb7e656f543806536bcd
-
SHA512
64edd2d5b6b5d9b40921195aeb9f25480d919e649a57e30b0cc5eabafb903bece1f56911fa2532a38de67735b423140296ede7e57f16225a331a27f165f116f9
-
SSDEEP
12288:NvCelFxzNH7FKIRJkKct1soZEU8pxrHwCiSBpwSc:NqeJ7TJkVsQJ8HrwCiSDo
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
231121-14-AgentTesla-1fcc29.exe
-
Size
830KB
-
MD5
4ae123b8dd8f2108225f3731453117cd
-
SHA1
1fcc29ee7df95e89489baf06e86ec0cc39ee2b4f
-
SHA256
2d2ec5676bd28d3f00ee24b10116feb9540e6bd015b86c8579a716a1237096c8
-
SHA512
7432110fbb78c32bc429dc944ad864b6451227acd492d61e85145fa1ba117c3a020a0aa83ed3679bea705bddab76c1e0b42467c392f492cc3981bdafdfe84b1c
-
SSDEEP
24576:kDEJtusmZ5rrQOG5NVcpIeY4wrPxeb/sw3EF99r:wCDmZS5rn4gPx632r
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
231121-15-Lokibot-a3aaf4.exe
-
Size
472KB
-
MD5
083b1af53ba0a7406195f5a592c8097e
-
SHA1
a3aaf49572e6981a7d2536abb2ed3ee5f3d2390b
-
SHA256
e7ec3396aede8095c2c834212499f1dccb475d7456f20043325518503de83f49
-
SHA512
68f773bcbcda347a2475a5191fce5b607ae6552a3b151e4a20c53289528d0102ebad0fa38ec069aee5af5c945120c8ad2d96928400dead8c347d5f115f393a21
-
SSDEEP
12288:oytsJ8EzmvCe9esuvMfRD9KrknDk1I8sCtNfPvHoAx7HAVnM:5qeCILnD98rLPvoAFHAlM
Score10/10-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-
-
-
Target
231121-16-Lime-098e00.exe
-
Size
66KB
-
MD5
50b2b692da0c363e301709a28b30afaf
-
SHA1
098e00413ba405bcc72b71a5869c2d151e93448a
-
SHA256
d25339ece508876c8900d27721f042391a4cc2769805afa377556a416a192c49
-
SHA512
d463babcae95c3c200af5ae59aa5f89e2edeb267bb15e843f8a241e17794db1672067cba421ba38cda4e161151d93e5eb2e3bb06cd5ce6bc98d651ebf58f06ce
-
SSDEEP
1536:UJOjk0yzcRvVSfD8tzsy/jV49Gko0S/aATWJvQ3MJea9yn90+x:UJ70yK4D6P+YxpABJD9F+x
Score10/10-
Detect Xworm Payload
-
LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
-
Xworm
Xworm is a remote access trojan written in C#.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Detected potential entity reuse from brand microsoft.
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1