General
-
Target
292015abee48b2c8bd29e505cf4aceb13f698195aa0b9df4566250997e94a7d7
-
Size
7.0MB
-
Sample
231220-pvhvgsaehj
-
MD5
3f29057b16c405448b6b43262b007776
-
SHA1
9bd1a63f471d77a5ce3fed262c71a55a1686a3a3
-
SHA256
292015abee48b2c8bd29e505cf4aceb13f698195aa0b9df4566250997e94a7d7
-
SHA512
dfe3eae71f12e835b43a411659990658f2bd3e1c92c41263f29059ebde65835fcdc37fce12a541f6a945be500f2846793e52b2587b53bc7f2f7932553dc0cc46
-
SSDEEP
196608:962K+HjSb/r1nIWbddasvbbh/ZwcWIs08eGnWQHr9:bKGjQ/r1nx5d3vhRwJ09GW09
Malware Config
Extracted
formbook
4.1
o11y
bilenoer.online
1gocasino.click
bm9qn.top
wzefoy.com
5-minutemoney.com
tx5288.com
ssteaq.com
ztxsm2gxqvl.asia
familyfishing.world
moocytrading.com
dondebusques.com
dtservicesillinois.com
korpativnighs.com
resilientjoy.com
greensclps.com
actionkillsfear.com
siwu81.com
localorion.online
spoke99.com
taxinhanh24h.site
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.status-automation.com - Port:
587 - Username:
bkkhoo@status-automation.com - Password:
bkkhoostatus2018 - Email To:
goodnewsrnan@yandex.com
Extracted
agenttesla
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
boys@opttools-tw.com - Password:
kV$bSqJ1 daniel - Email To:
boys@opttools-tw.com
Extracted
formbook
4.1
st58
ariaspuccini.coach
ailebasvurulari.xyz
apexconsys.com
paymentnland.com
anniestannie.net
airdriechristianyouthgroup.com
vibezclothings.com
ariellabrock.autos
gloverconsulting.online
cc66007d.com
d55hnw.top
larrydeviney.com
zbhhzs.com
salarapk.com
llamalister.com
bzykaj.com
camloi.xyz
vitalidadenaturalebemestar.com
thefitmove.com
abbyamuwo.com
Extracted
Protocol: smtp- Host:
mail.status-automation.com - Port:
587 - Username:
bkkhoo@status-automation.com - Password:
bkkhoostatus2018
Extracted
formbook
4.1
fs35
latechdz.com
sdp-ploce.com
ss203.site
sm6yuy.net
needstothink.com
heginstwp.com
blueplumespirit.com
vemconferirshop.click
yorent-auto.com
eleononaly.com
medicalspacelocators.com
7law.info
imacanberra.online
bbtyss.top
onlyanfans.com
varenty.com
fappies.shop
313865.com
hongpools.com
babkacuisine.xyz
Extracted
lokibot
http://305.ebnsina.top/_errorpages/305/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Extracted
cobaltstrike
1359593325
http://192.236.146.5:80/cx
-
access_type
512
-
host
192.236.146.5,/cx
-
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
polling_time
60000
-
port_number
80
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCHFcV/jTWIWbMLGsg/xD3cCk0yHN+dWUBeSAZEdvXFEiawkFkWyJWyGyT0NbgSrwHmz+krYJY6l6YOoUNPWMNc6YpuQUYrBiilMX6rDkmmqUqem2tP6G4E6nBva8DOwNu671c8iFZeK4M8s6PPnUDuEuSHchHBLc5wV6Ew7BLO5QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/submit.php
-
user_agent
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Win64; x64; Trident/6.0)
-
watermark
1359593325
Extracted
formbook
4.1
hs94
hrnlius.com
righthouse39.store
nh12dgsdh.top
d6es.com
qjgx8ol.xyz
claricraft.com
amor-de-luxo.com
triokitchenbar.com
britlleysantos.com
hairluxe.info
openclosetstore.com
edubraintoys.com
goldeneaglescoin.com
mayacottage.com
taekyoong.com
mahiguel.com
dramulyamullapudi.com
osaruru.com
momaustralia.com
xiaotu.gay
Targets
-
-
Target
231113-01-Formbook-47d372.exe
-
Size
548KB
-
MD5
aa54cc75551a0903c7c6ad095791cdd7
-
SHA1
47d372a19fc28e8a825adb9511118fb15fa6c9ba
-
SHA256
f36f3336aedc47e7ec061cc5a11589d9e3adcff96bbc805a8da7ac0182d40e22
-
SHA512
dba879ded111d8bfe690795ff7a9afb4d6497debfcebe8c48962907a3933f431476398f9cf72fd849272abc19a49734be774d3090ccdb6b83f848221f723bb42
-
SSDEEP
12288:r0VlgZ+9iPOxgFyxiXauAia7jebblCKEh0:rnsxgQxiXauAn2b5C
Score10/10-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Formbook payload
-
Suspicious use of SetThreadContext
-
-
-
Target
231113-02-Gh0st.exe
-
Size
152KB
-
MD5
b59b8b60633f4477d0160dfaddfa6899
-
SHA1
6702a138fb55ea3e15ab8a030f499925e4f02c1d
-
SHA256
6504d3d732a500bc1ee7cf81f2d00cefccaebed175cc1eb1df13d82d9b83e5d5
-
SHA512
f5e8e4f4a0c22a5bfb2b406f6662236e11693a1066f2e4937a8b8389d22735b683287b8d75b0eac1dc8e04667fa8864e24682065ca8944e9ae16be492b93a411
-
SSDEEP
1536:QVU7YpxuKobIY6TgTJhJh5tgpIy4TzfOMM/BQkZQA:QuoxQbIY6TgTKtr1
Score3/10 -
-
-
Target
231113-03-Formbook-f8862f.exe
-
Size
1.8MB
-
MD5
4176f7c4f301d2e844abdf4c8a7298cf
-
SHA1
f8862f6c2815a6c4aa5e8a7d46c1b66318d5da93
-
SHA256
66546bdf1106858267f20b74f7aea13115252e74c3a5f85482b70e564f660f0b
-
SHA512
541f802a68e083580215de1143d07f25af8bafdbff93ee984ec737c7f6714d9b201bfa80f9ac6b23355362fab2ed6d6445ecdb2dbf9df8497cee1b2748b5b4a3
-
SSDEEP
24576:SHstQKeB1JqJlLlRNouIKZqzPApw2BDO+7nLl2n/7a5Ox30UDLap:SopeBXqJou8Cw2BDO+70nW5YTv+
Score10/10-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Formbook payload
-
Suspicious use of SetThreadContext
-
-
-
Target
231113-04-Formbook-ffda62.exe
-
Size
184KB
-
MD5
0290553016df26e4890f66f68d91a23b
-
SHA1
ffda62ac3fd831ec2e95410f6ffa5b70f4455da1
-
SHA256
9a4b43e60f5fabee97075207242bcf5127e8ef726277667f050234fc35e1c810
-
SHA512
57b46657b9962789a7969a9f6aa1141cb41c4d78e9d4618576f3fb7ff41a50f30d0d13e507ddd01b7a356faff5c4f1f339c949d2996df52509e3e10edc24c475
-
SSDEEP
3072:qH5Dkc7/uZA3Am36ZSYOwIfZ/AEZ1gHSu6nV5Gs0vSo:a+Q6Ibw8Z/AEI6ntSSo
Score10/10-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Formbook payload
-
Deletes itself
-
Suspicious use of SetThreadContext
-
-
-
Target
231113-05-Frombook-678f18.exe
-
Size
2.3MB
-
MD5
d260f22156670128176057ceb8283285
-
SHA1
678f18a7578c1943fd22cff0e7ac500cd95ca389
-
SHA256
8da211e160945b8260cb4a52216028ca93f0aeb0b468186e48af68525e01d892
-
SHA512
953f55ec4f2414189a189b03e87cc42fe2be2673862617c245b4b7759697d45768e98a05663bbd96020c7778b54591b044102695f20e1a6163d415e9379624b9
-
SSDEEP
49152:zmUjlGU/DDjqvOS6iy3iWOY+YLqaLOlTTrbs69V/:zH3cy3im3L67s69x
Score10/10-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage
-
Adds Run key to start application
-
-
-
Target
231113-06-AgentTesla.exe
-
Size
530KB
-
MD5
4e2367b54883a215b874f09ff299475a
-
SHA1
a1669c0d2e4791e6996149602f6b9502f74f3eae
-
SHA256
8c72d6594c46c605916cf3456b84810a1982c7f62f9c66d7eeb12bd0da0e82d0
-
SHA512
8e54ac718e3e8d4b7fdb7c2455895686b071bac61b2089118fbc9a29ca4eda1008bb83424312008db3a8b8de9aaebf3d287f1169bfc87c707519a51341597549
-
SSDEEP
12288:P0VcgMUZPqFQXEtXogTQI0I/cGT7zJqJmxYWNtP:PZ0PqKAJT0CzJdxYetP
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
231113-07-Frombook-b13b6d.exe
-
Size
329KB
-
MD5
721d7f2dfc6c49e0e11e87361ac493d5
-
SHA1
b13b6d2d1e9eca3f87c22d6f2eebbf39b0ee6e0b
-
SHA256
818f9ba3c7565feb703c742d5e4a8134582cc419dbbf315df8e96a2eacc3b710
-
SHA512
48f3a6ceebd2dfd13eec4a9889b83e7ffe1c92d84f20861c3968bbbf2a9d5a05e0031ef27d50557be2f658661c64700818ec33e797f82b7fed7fa093a643a5b6
-
SSDEEP
6144:wBlL/9bp63FQUD4MAwlpKd9mgTRm+YMCpGAqgQM5KEDTgYsMiJw75r8Uo3ues8y:C/bpeREMAapKd9jTs+YMCpGJM5KEDTge
Score10/10-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Formbook payload
-
Executes dropped EXE
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-
-
-
Target
231113-08-Snake-d91fed.exe
-
Size
496KB
-
MD5
1b278305cb4e9f2127d141e7bf35208c
-
SHA1
d91fedc2f515fe0b94f808700c6c94d123bbf6f9
-
SHA256
0fcc6d53f8ef84332db1f7e6f884870964ef6b6d718000cfbaaa224dcb5fb90e
-
SHA512
a858319b18666671f1f94cd41789cef35cb526e36482b622deb9b64ef98fbe4c851ff204c68714183ef6f5be4c2ffe312ec419065a32e3b486925d89f1eab85d
-
SSDEEP
12288:wcR4gPI6771YWj8+rhD9TvwsJVXAlonR8HFBN:tN7ljB9rwsJ9ny
Score10/10-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
231113-09-Snake-1c2c3e.exe
-
Size
125KB
-
MD5
2a733f0fff0f3b5d01d1a11837d1db16
-
SHA1
1c2c3ea80cfb3cab2b5aa655e7bcabd04a06c759
-
SHA256
fac0ceb2a8b38f28f0e167613d7bb732621ba060543a5a7cc3566734c717a84a
-
SHA512
89b8ddc01a8a3252ce9e1c041671cf5cb91f2be2447989883b84f599eea93a3aac9dedf4491f910e1a6115c3806477b780fe3ace3f5e6684812d1272d1bb295e
-
SSDEEP
1536:1R2lYen2RwKeRWJF8Atp+vBUFMlY6OgkKwBmsb+o16MFigB1b/zu2C/mKRJpiOW2:72lYlqsF8A8OgMz1b71qLwBgnvgbY
Score10/10-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
231113-10-Redline.exe
-
Size
399KB
-
MD5
b42248f56f3df85e63aa0f41e0bca0d7
-
SHA1
96ad673a7c5e6a6a8cca12c8fadfffc1d240014f
-
SHA256
189597859f74a7db84a4bc3d49b4464e4023a6df1c6c28b948239401f9291c25
-
SHA512
dd9fddc46ba4ac29dc700497f809bb089f7828db8a1f5984f3088ad2df0ad4e82702e8f95f50bedffa6180863290e245ce5d299eb4858fc937ef6cd7f59eb74c
-
SSDEEP
12288:wXfp/8W1Jf3XbWlajGJ/q4EbRcMmnVwyxjeWF/s11v:wXfrJvEaj+/q4EbRcMmnVwyxjeWF/s11
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
-
-
Target
231113-11-Lokibot.exe
-
Size
458KB
-
MD5
b16f61dceaf2256373c594735b8cbf4e
-
SHA1
af44533a826dfd5f732fb107dacba00c686835b8
-
SHA256
20fa2e8a490cd396fd059d2a6996a00a33dd3ffbca083cd6873eb14fc56d177b
-
SHA512
b79de47166e2eac9c0485726b2a72c78d3091734afed5c418636f7b1ff74725b8db895bd188db55141e401c29d282e50b60f3791fe0e4279709f0a3cda171091
-
SSDEEP
6144:AxxG0VMiG0g6PvH7CW6JfddFRoRsjNrrSggrlWasvAdxA2wAQpSixfb5fuTFXFLp:N0V1gVW6PdFK02gONvogyft4FZPjsPh
Score10/10-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-
-
-
Target
231113-12-Cobaltstrike.exe
-
Size
6.0MB
-
MD5
82162d22a57da0916f939341994d8a70
-
SHA1
c44229b799ba687cf25948f9933bc848844d48f8
-
SHA256
c06b7c429d664ab28086c4ff45d704838d28d1f2492ad8d8de15ec0bae01e9b3
-
SHA512
d848417f7eba6d2fdae9839b12305bd7dc963200d626f4f361e1e6fa87a084eeb31d59c5a20e4d7eb3ff015848ec80991560aac8a566fbc26b435e5f4d072e8c
-
SSDEEP
49152:NW+0bVXeQqZUhh4r5VC9PI+Kt/KaDZL/kUkDU199XPUprpB5Qxb/DR2UGovAJg8z:NWpbwQqZUha5jtSyZIUb
Score10/10-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-