Overview
overview
10Static
static
318e7407574...7d.exe
windows7-x64
1018e7407574...7d.exe
windows10-2004-x64
101c8b4ce8d4...78.exe
windows7-x64
11c8b4ce8d4...78.exe
windows10-2004-x64
1456480580b...dd.exe
windows7-x64
10456480580b...dd.exe
windows10-2004-x64
10700e76e752...58.exe
windows7-x64
10700e76e752...58.exe
windows10-2004-x64
1082cb6a221e...da.exe
windows7-x64
1082cb6a221e...da.exe
windows10-2004-x64
10ba01c08c3a...b4.elf
debian-9-armhf
9General
-
Target
cd77b109e45ef08f0b25ae4e211b4134bd7c349cbdf2ecde6425ec267a6a3a0d
-
Size
5.3MB
-
Sample
231206-c3q5lsad49
-
MD5
ca4711c30efb40ef4efed068e84b608e
-
SHA1
8838972d8b66f51e3e39081aaff22eac79432bea
-
SHA256
cd77b109e45ef08f0b25ae4e211b4134bd7c349cbdf2ecde6425ec267a6a3a0d
-
SHA512
a9e4e63abf3d9c9512e97c9084d3dff4d664c2819e49f42bd7eaa5f84f2795e0d28822c60ebd4fd97211709239ac124bc408581a206b1cb40e382c315defde14
-
SSDEEP
98304:8gmy+Qm/XZd3fOUlgmI5XtG2e0jTfxy9VcaoKBFULPz4dEyRwqBVPqDUpdfvhrzR:xL+Q4p5plgmz2e0jTxwETz4dfRwQVSDY
Static task
static1
Behavioral task
behavioral1
Sample
18e7407574a68f77e1fae3d3c818d864b7a61b044e16805f684968335197cc7d.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
18e7407574a68f77e1fae3d3c818d864b7a61b044e16805f684968335197cc7d.exe
Resource
win10v2004-20231130-en
Behavioral task
behavioral3
Sample
1c8b4ce8d40a1abab07532a4d3a3832fc7e7e1c00c32002d264220afa0529b78.exe
Resource
win7-20231201-en
Behavioral task
behavioral4
Sample
1c8b4ce8d40a1abab07532a4d3a3832fc7e7e1c00c32002d264220afa0529b78.exe
Resource
win10v2004-20231130-en
Behavioral task
behavioral5
Sample
456480580b48923a2771689cf8ee2240d1a98f5c1633671260bdc203ce5a8edd.exe
Resource
win7-20231201-en
Behavioral task
behavioral6
Sample
456480580b48923a2771689cf8ee2240d1a98f5c1633671260bdc203ce5a8edd.exe
Resource
win10v2004-20231130-en
Behavioral task
behavioral7
Sample
700e76e7520021aeb60b4cd42c3ab8bbd2a20fc36228ad4dfce94c927b6e7f58.exe
Resource
win7-20231023-en
Behavioral task
behavioral8
Sample
700e76e7520021aeb60b4cd42c3ab8bbd2a20fc36228ad4dfce94c927b6e7f58.exe
Resource
win10v2004-20231127-en
Behavioral task
behavioral9
Sample
82cb6a221ee2b2c0c0f43139765407c713ff6980d966544f71f351c66928a4da.exe
Resource
win7-20231020-en
Behavioral task
behavioral10
Sample
82cb6a221ee2b2c0c0f43139765407c713ff6980d966544f71f351c66928a4da.exe
Resource
win10v2004-20231127-en
Behavioral task
behavioral11
Sample
ba01c08c3a6ea99f565ed6c06067bf4c9d257168ffb76da644cce01d94313db4.elf
Resource
debian9-armhf-20231026-en
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot6695508500:AAHkexS5oB1E5lJkAEKZx2DzV7hRPW1U52k/
Extracted
Protocol: smtp- Host:
mail.gimpex-imerys.com - Port:
587 - Username:
[email protected] - Password:
h45ZVRb6(IMF
Extracted
agenttesla
Protocol: smtp- Host:
mail.elec-qatar.com - Port:
587 - Username:
[email protected] - Password:
MHabrar2019@# - Email To:
[email protected]
Targets
-
-
Target
18e7407574a68f77e1fae3d3c818d864b7a61b044e16805f684968335197cc7d.exe
-
Size
823KB
-
MD5
77e7f5ee129d7a0eb6a063c6700083f6
-
SHA1
3809d6d83545814b6ca32ee97de22a5d9ce43114
-
SHA256
18e7407574a68f77e1fae3d3c818d864b7a61b044e16805f684968335197cc7d
-
SHA512
5933fba201b39e8e3768b2eae316e9ab2bce27446d96b521f044a7960f7402ee2fd44c5d1f5be5ff0e8390978e836c030b3b341039e2023aace9d7f39693611e
-
SSDEEP
12288:PWcXtW8G34/uK45+po2PUabkUh88z0IvoFMY1EUcCzetvc4en1ccxfD0whVS3UeJ:634/up+pJKY3o7NHiFcrn9xfnV+bJ
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
1c8b4ce8d40a1abab07532a4d3a3832fc7e7e1c00c32002d264220afa0529b78.exe
-
Size
173KB
-
MD5
2c4d4eb864e1de4eee51f0cf47e11d45
-
SHA1
97e4a487e54af17dbb2deceed4b758d934c12478
-
SHA256
1c8b4ce8d40a1abab07532a4d3a3832fc7e7e1c00c32002d264220afa0529b78
-
SHA512
501a19ac2c7421fbf78ad35ad4593c38fcc021a001a797d648832ccba6606b01b08aed2f2e85abb583bdd2ce2c2a2dde6d0874cb3d16ecad6473e3eef0e587d7
-
SSDEEP
1536:oGXt/KSsHrtMD9QD9su0PQ/nNNBpzSTgFN0/QAEl20hq0GeyX9Ef+qcNrqs8jcdm:pJKLr4Q6M/pps/QTE2K9s+xCKqVoQ
Score1/10 -
-
-
Target
456480580b48923a2771689cf8ee2240d1a98f5c1633671260bdc203ce5a8edd.exe
-
Size
3.3MB
-
MD5
15bc4d1c91da5d491756d4c4cfa96f8e
-
SHA1
d1a0a6f32d9a41ff76fe2a0ff3ef084334b949d6
-
SHA256
456480580b48923a2771689cf8ee2240d1a98f5c1633671260bdc203ce5a8edd
-
SHA512
f7658e5fd2228cb28ea823027139a221f4d0721a4a2f30e3454bdecdb37a903ae35cb7830ad0cf6ef36233334cc9936768ed8505bb277ff5994a9e95202ec99b
-
SSDEEP
98304:NAhjsRxEm2bTLMup0z1Uesj6qqDK8COMf3:NAJDHbTLbpU1ij6jCzf
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
-
-
Target
700e76e7520021aeb60b4cd42c3ab8bbd2a20fc36228ad4dfce94c927b6e7f58.exe
-
Size
758KB
-
MD5
fdee1760ee8830c6406a76561e28afee
-
SHA1
72e78f9aef571fe3bfaee794f503a8619f772f5f
-
SHA256
700e76e7520021aeb60b4cd42c3ab8bbd2a20fc36228ad4dfce94c927b6e7f58
-
SHA512
5a22f1df65a2121bdca35742ea8613723ab65f6a2d6faa7c5516ba977aa084aac463aab8f9f461cba508c489b933a6974224ae929a3dee4cedaa3f451bec6131
-
SSDEEP
12288:qfYNr4RbLxP45+po2UTi3B4NYc+vuDueVC9TWwx5Lo23bf7ssHhsJx5dPoavX+:ELk+pJUTiR4KcnaeUNh5Lo2LgEheca
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
82cb6a221ee2b2c0c0f43139765407c713ff6980d966544f71f351c66928a4da.exe
-
Size
830KB
-
MD5
985225f6ec19a166c50bd5d0e16d330f
-
SHA1
9022950aa9cef1cc010c636a97b229e30d0002b0
-
SHA256
82cb6a221ee2b2c0c0f43139765407c713ff6980d966544f71f351c66928a4da
-
SHA512
a4d5576cc36994ae0d6bfa0545961370f429bd8a4e875a65e77f6f4cf522dbf1fa82fb5491b593f26178a6a27c8c1b54214b06c29b43a6c2e09908ab4361d5a0
-
SSDEEP
24576:koPOk+pJZDI7EeT/ZhOX0IAmQeY14VDjh:nyJ6ZT/Zh3IAmQ5qD
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-
-
-
Target
ba01c08c3a6ea99f565ed6c06067bf4c9d257168ffb76da644cce01d94313db4.elf
-
Size
61KB
-
MD5
fa9bbf55033f574c2b4cbd81da5ed433
-
SHA1
6cb40777e153a9e4028e5c30c5af86b0f56f768e
-
SHA256
ba01c08c3a6ea99f565ed6c06067bf4c9d257168ffb76da644cce01d94313db4
-
SHA512
08c39d6214ce0ffa7a6030daa5f45a7774730c2a5599c8213bd40f38b5538a71f9e87e8345d379e642506405924fe2b194e395b354d5cba79b876478bcbb72b6
-
SSDEEP
1536:1aoa3nfdgN5ceyp3row6V1R75T5Ix/yEvSmY:1aoGnfW2pbyV1R7krA
Score9/10-
Contacts a large (76773) amount of remote hosts
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows
This may indicate a network scan to discover remotely running services.
-
Changes its process name
-
Deletes itself
-
Renames itself
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1