Overview
overview
10Static
static
31be1eb3fc9...a3.exe
windows7-x64
101be1eb3fc9...a3.exe
windows10-2004-x64
103b29f95096...37.exe
windows7-x64
103b29f95096...37.exe
windows10-2004-x64
1069cebec49a...97.exe
windows7-x64
1069cebec49a...97.exe
windows10-2004-x64
10cb3cd1f7db...e4.exe
windows7-x64
10cb3cd1f7db...e4.exe
windows10-2004-x64
10e164c86cf3...9b.exe
windows7-x64
1e164c86cf3...9b.exe
windows10-2004-x64
10General
-
Target
db2a2d7c0772591199f7d3be76fd05031487f14b888efaa626d167397130c86b
-
Size
9.7MB
-
Sample
231202-betedshb46
-
MD5
f3ea43db54841ed8d406f428557ec33e
-
SHA1
affd5206fb39ea0e38d2d496e7bcf57c71cc38aa
-
SHA256
db2a2d7c0772591199f7d3be76fd05031487f14b888efaa626d167397130c86b
-
SHA512
f8e3ab4715cd5edd41cf29ab97cbfcc4a67b25aa19e90f9ba0df10dd51d00013afb320f822a846a0cb326dd87aa61a3fa5179be495b70f63cc61acc177bbcdb2
-
SSDEEP
196608:3AJZo16QcOYIgSGOVR9gyWT0985gRdSkMgOkX+O+wV3Meys:3N7en1OVR9uT0O5qFOEmxs
Static task
static1
Behavioral task
behavioral1
Sample
1be1eb3fc904fc5a9e9e555e3fa4a2b6a5a299917d5afa9a1570079195387fa3.exe
Resource
win7-20231130-en
Behavioral task
behavioral2
Sample
1be1eb3fc904fc5a9e9e555e3fa4a2b6a5a299917d5afa9a1570079195387fa3.exe
Resource
win10v2004-20231127-en
Behavioral task
behavioral3
Sample
3b29f950968c3e659a25e4d65085b3c2337db74cfcc88fb7172971b1c3f13837.exe
Resource
win7-20231023-en
Behavioral task
behavioral4
Sample
3b29f950968c3e659a25e4d65085b3c2337db74cfcc88fb7172971b1c3f13837.exe
Resource
win10v2004-20231127-en
Behavioral task
behavioral5
Sample
69cebec49aad7594157deb014e52b24580e3a6e05476aac000fd0cf7b1c3bd97.exe
Resource
win7-20231023-en
Behavioral task
behavioral6
Sample
69cebec49aad7594157deb014e52b24580e3a6e05476aac000fd0cf7b1c3bd97.exe
Resource
win10v2004-20231127-en
Behavioral task
behavioral7
Sample
cb3cd1f7db0ac8ef966e513358935676673bd972b8baad11ef0f2a8bfdb9cbe4.exe
Resource
win7-20231020-en
Behavioral task
behavioral8
Sample
cb3cd1f7db0ac8ef966e513358935676673bd972b8baad11ef0f2a8bfdb9cbe4.exe
Resource
win10v2004-20231127-en
Behavioral task
behavioral9
Sample
e164c86cf3eead4541a719f3cc5f08a7f0b36384fb8e95098116acadad23a69b.exe
Resource
win7-20231020-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.asiaparadisehotel.com - Port:
587 - Username:
[email protected] - Password:
^b2ycDldex$@ - Email To:
[email protected]
Extracted
stealc
http://77.91.76.36
-
url_path
/3886d2276f6914c4.php
Extracted
risepro
195.20.16.45
Extracted
Protocol: ftp- Host:
ftp.dzine.com.tr - Port:
21 - Username:
dzinecom - Password:
Dzine21.
Targets
-
-
Target
1be1eb3fc904fc5a9e9e555e3fa4a2b6a5a299917d5afa9a1570079195387fa3.exe
-
Size
623KB
-
MD5
8eab5e4d034fde42eb31add0cb923a97
-
SHA1
ac9f5a051227302049aa5136a26f30a3707db55c
-
SHA256
1be1eb3fc904fc5a9e9e555e3fa4a2b6a5a299917d5afa9a1570079195387fa3
-
SHA512
54f6f28e0ad2ba4cf968fb766d000f97afb851a6886649c7968a39a3e09eff5974455164ba0e43963a1bc5a416b1fabfd6780c55cd794011ea474bd72c2accdb
-
SSDEEP
12288:14uUdaP5mn0llWSQSSKJOzIT5HiSRJ56/:ydaP5mn0llNQN2OzCti2z
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
3b29f950968c3e659a25e4d65085b3c2337db74cfcc88fb7172971b1c3f13837.exe
-
Size
270KB
-
MD5
a2da34f16556914cfd1218970c90e451
-
SHA1
9ac22b21244777d2d2b9ae22fb551f6a0b54f4f0
-
SHA256
3b29f950968c3e659a25e4d65085b3c2337db74cfcc88fb7172971b1c3f13837
-
SHA512
58b9ec3b661c1c1f636a64ed42af507ac8aafd771eb597952b7e76ec35828d26f7b41c0c8f1a87d5e0ffd3d328ed773b7d8ab2497d1e0e806dd4552056bcf948
-
SSDEEP
6144:pR2kdN6l00Ul/YbyRVZXGoMFK0OK8yL7Ve:pRQ00Ul/YmGnFK0OvoQ
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
-
-
Target
69cebec49aad7594157deb014e52b24580e3a6e05476aac000fd0cf7b1c3bd97.exe
-
Size
6.2MB
-
MD5
63de00cc272f7f0edb1669c406f97d96
-
SHA1
ca46c7257e26654586d6348f7aaf618f208693bb
-
SHA256
69cebec49aad7594157deb014e52b24580e3a6e05476aac000fd0cf7b1c3bd97
-
SHA512
16796815b914363a61ae29627913b3f327b8bde98f78b2e6780f1c5fa4086464b45dee66799c637507f9a48d9be72598caea9bae2bef32ec17803fa9b14b7bd4
-
SSDEEP
98304:jvV1BrPfhSqGzb7Jd8TGEjC6SZgeWxhLIzMwoUXYhLNfAMfv2goJMAWB72ozS2e:jHJPgqobVd8TQZaxRIHZCZoJMAWBv
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
cb3cd1f7db0ac8ef966e513358935676673bd972b8baad11ef0f2a8bfdb9cbe4.exe
-
Size
738KB
-
MD5
33a2aca5866de0f687e0d5d64c1feb9b
-
SHA1
42c8a406496525574a3954a219968db17eb7877f
-
SHA256
cb3cd1f7db0ac8ef966e513358935676673bd972b8baad11ef0f2a8bfdb9cbe4
-
SHA512
0df31bd83fb732f9c228807b1ff0897a1f58198a3d9baf544eec95dbae2d19de490a47e2217455438eed4132fb6a5b5f834e74c8210d7741914cc74e4fd65cb6
-
SSDEEP
12288:kI2ICYm2L/c37RaJFheLHUvGnJ6zsCMgzF+Nm3jZ738FQTft:AX27c3yQL0vyljgzAwjZj8C
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
e164c86cf3eead4541a719f3cc5f08a7f0b36384fb8e95098116acadad23a69b.exe
-
Size
3.2MB
-
MD5
f23d61d5ff249493e4b55e0690d7b3e4
-
SHA1
a6eccac18cc49aa7fe3863afb24d3975a5cf30a8
-
SHA256
e164c86cf3eead4541a719f3cc5f08a7f0b36384fb8e95098116acadad23a69b
-
SHA512
1782f63dc64baaf47d00ad0f8cf7d04587f8da2656aedf580147387df65b9481e4fdd7a4e34c6f01dfbefc4815d42a994dc7e6e065c84d2cf9821e602ac2446f
-
SSDEEP
49152:3osVZWC0R4XRbTaDmixqWsOFQlrYQBDcLatzB+L0iVBH+nBz0I7C:3Z0RkRbTaDmcsOFQpEwIN+d0n
-
Detect Lumma Stealer payload V2
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Suspicious use of SetThreadContext
-