General

  • Target

    8cb5769c3a25134797f34143d7be5857f5c9a4793f8455422458ed2ce5e67ced

  • Size

    83.2MB

  • Sample

    240211-bnhz1sah5v

  • MD5

    2bb42050234ec94a1dffa932f852966c

  • SHA1

    f6a6cd9d364ccaf4985b75f1729d482586d71450

  • SHA256

    8cb5769c3a25134797f34143d7be5857f5c9a4793f8455422458ed2ce5e67ced

  • SHA512

    165ea313e14eeedf50cb2333742da8cb1df7e0dcd4a645da27b904ce2bf90477057e46978933f070f1eff2c1ab8b5a3c0b6d6a89bf8bc4245929f6a344b0f1db

  • SSDEEP

    1572864:d3gwd5LMr6+gq895N5/EwNBXDFmX0l5ZC6xv66MXq89g+aZTeTRGMHee/fi5bt4s:dQwTQ6X51PFmX0/XyrXqfXZaeCfMbmG

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot6524461406:AAH3TboEjg5cRFE0HbCMLee4xLBl6zEAtIk/

Extracted

Family

darkcloud

Attributes

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.gasplants.quest
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Ifeanyi1987@

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.corpsa.net
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    -E~O8rekW5UT

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    us2.smtp.mailhostbox.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    $F%bWyL5

Targets

    • Target

      0289cf98e4e9f9b86173926ee7b896458ca992c2d2976537fee4e30be2210ab1.pdf

    • Size

      75KB

    • MD5

      005e0f63b3ff4ac6b9a81a4aa9570220

    • SHA1

      a2336579177a9899b1b7ad3f527d9a80232e7547

    • SHA256

      0289cf98e4e9f9b86173926ee7b896458ca992c2d2976537fee4e30be2210ab1

    • SHA512

      f18d2489d2315681afb67cad2d1e803e70089d326cf4d3e479fb936a95394c8b6c3e568bf261fe7759d2ec6afab869221e507229c8654b3642080196863b03f3

    • SSDEEP

      1536:SrzIm0LzXFxtkz46ITB8CKIXe12XfdvrteXAj8uYX7MPfiK:GITFrtrGyX02XfDeQj8DxK

    Score
    1/10
    • Target

      102c2cedea798b38f357101d8574519820f7a3278e9043fc254f73de06568273.exe

    • Size

      240KB

    • MD5

      d0573ee8b060cbfd73500a2d137da3e9

    • SHA1

      446f46a21738a5a9a6b8b6753161f808c2acb8cd

    • SHA256

      102c2cedea798b38f357101d8574519820f7a3278e9043fc254f73de06568273

    • SHA512

      6eb5ad45c542a4a718cec1f60ccda8d98350a1e05e46dbfeee436b36c0464fade99828cd4d1e61b1438aa0c05f9369bc514dc0a18260b2577b25ded4f5f3e821

    • SSDEEP

      3072:oDLNPhZ1xFpRXlTpHBKHdPaTfVUDlPV8PafjpzgDBlXqfiq25P7fB9Du9RV:2LNJZ1xFpnTpHytfj9gDBpqfiqofBh

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      114322a61e042f61dcd09306c0d19f875e41638452c3bf9a24a6c8251ef5ab72.exe

    • Size

      628KB

    • MD5

      ae6461999a7ec5264529540062345348

    • SHA1

      1da5496562cffaaf5c76ffd2789f18ac659eeb5f

    • SHA256

      114322a61e042f61dcd09306c0d19f875e41638452c3bf9a24a6c8251ef5ab72

    • SHA512

      cf5b2aab9c0dfd4e56143669029d799b286f7e381b6dd3459316b7ff3fea34ff70d2ce1e8bea8a3b3d11d0095ddcface8d6051b5be244685af6d0e3518c135a3

    • SSDEEP

      12288:3RCBU3YxdKZaGKQcpQVqj0Y7aD8VdD2auML+dv/CKtLPVHt+MQwmD3UYSKDJvQPU:MBJScpQlZDcIaBoCKtLtwMGDjSKDOA

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    • Target

      1447056a874d4d290ccaabacbc07fcae7b2ae38f095fdf44ae84de8b72f9e866.exe

    • Size

      386KB

    • MD5

      e31ca7eba5cac4cb1e8282614a0ef731

    • SHA1

      8b84f68d86ca6ee93b2d5610e45e3e04b77a8016

    • SHA256

      1447056a874d4d290ccaabacbc07fcae7b2ae38f095fdf44ae84de8b72f9e866

    • SHA512

      337ef03c8adf8f9b8846c1cb335ee2beabe938c1be1b1e648c58023abafbc27dbb00d49fa574bab1e0756ba2b06ea5199a96dbe310c4bd8b0e4c30c672313c8b

    • SSDEEP

      12288:WpLNxYqeb7Oppc92N/i4eAjyEVPvIjYKkJj6GmZU:gxSbIDeAjJVPv+Yb6nZ

    Score
    10/10
    • Target

      2ad5dc1eb890561c6eaba03369822cab1177e08df5e2afdfb28273ce42b39dc9.exe

    • Size

      1.3MB

    • MD5

      b7697fe7636e6dcbdae8f9cab7d058be

    • SHA1

      92160284b9c104b5991c134a6a65162227d81967

    • SHA256

      2ad5dc1eb890561c6eaba03369822cab1177e08df5e2afdfb28273ce42b39dc9

    • SHA512

      f6f801c248964785edc431422d73b7937838c0aff564238404a642746d6fb0d6c4a028af9091f8b3ab5fe5a461c3a28606faa0e835515f9fbaa4d3c5811ceea9

    • SSDEEP

      24576:rqDEvCTbMWu7rQYlBQcBiT6rprG8aaZmF4O/l+XJPyUeB8hX:rTvC/MTQYxsWR7aaZmFpmyH8

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Drops startup file

    • Executes dropped EXE

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

    • Target

      2ce5c35b6e4effb5c1165d6f60e8d7c73eade7476e94de7690168c65b3b41005.exe

    • Size

      521KB

    • MD5

      ee2cb273bb396ae44970dc10457fd305

    • SHA1

      e372562b079d1d86c6478a7c2949f2a06354198f

    • SHA256

      2ce5c35b6e4effb5c1165d6f60e8d7c73eade7476e94de7690168c65b3b41005

    • SHA512

      3d1a3f22ffa585dc77d965b82c12565588935390662535dc8e27f12b5c4d03846608a17e8eea1156c05da5e99038c81f25b4466269e6765feb0e8e25d289ce5f

    • SSDEEP

      6144:1R+xXVwCNLDftawFa72Cra2ohD47gGSCdZQDXM47kZkByFxcQsnO+dgXhiQlttfI:z2xtawcL2l47gNTMJDfIJukit+JQlvD4

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      $PLUGINSDIR/System.dll

    • Size

      12KB

    • MD5

      0d7ad4f45dc6f5aa87f606d0331c6901

    • SHA1

      48df0911f0484cbe2a8cdd5362140b63c41ee457

    • SHA256

      3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

    • SHA512

      c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

    • SSDEEP

      192:1enY0LWelt70elWjvfstJcVtwtYbjnIOg5AaDnbC7ypXhtIj:18PJlt70esj0Mt9vn6ay6

    Score
    3/10
    • Target

      2f93268254854fcf8b754edd270c08b574f3b078c601aece0efc50c95596b086.exe

    • Size

      1.0MB

    • MD5

      f09350bf6bd3c1a57c1d4349e0b80924

    • SHA1

      d0b8606bfc93a110b740f513f23d37ae2d35e302

    • SHA256

      2f93268254854fcf8b754edd270c08b574f3b078c601aece0efc50c95596b086

    • SHA512

      1a2d76923720e920f2d825805bcbf5f1852db8b2ae804290ade6161fd98ab7e80e79b54e48427003715a67c30a8b795ffcd0272bc76c5248e03aac07e234e787

    • SSDEEP

      24576:AStF5TWrTZrtYbfcR2YfUpxrKl0XinWMCyFCQ:AStFd8bYbfs2XpklwinFwQ

    Score
    1/10
    • Target

      31ec85607b59877f42e791a2ac23d8c8c95edc8bad7fc0939a90a3807f445c6d.exe

    • Size

      110KB

    • MD5

      e18a8e37b5d2cfaec89222fd74c88081

    • SHA1

      19a794cb433dc4445e33becc7c2ce7d211baefa6

    • SHA256

      31ec85607b59877f42e791a2ac23d8c8c95edc8bad7fc0939a90a3807f445c6d

    • SHA512

      287358b925ff7a6e214ea29612461c94fbc12eb145a8ed3cfc8a7400151a6fe7ebc399d6ae0ad22d31dd8b9e2082668957a30baca807502cf1a78beb33b5c2c8

    • SSDEEP

      1536:Kx+EiewYluxHtThsiP34bbCaFJqIc5fpD7/xL:KrvyRhsiffaKIc5hDF

    Score
    3/10
    • Target

      388b63b6abc1c60160dea6dc559c9c24cf1299fa8df80cebccfcaa9c783526d1.exe

    • Size

      386KB

    • MD5

      7235fe2df2cc34e2f14fc0521d4db92d

    • SHA1

      cd709297bce4ca7fad036962a869a0c7b83760d3

    • SHA256

      388b63b6abc1c60160dea6dc559c9c24cf1299fa8df80cebccfcaa9c783526d1

    • SHA512

      eca6985211aac0e214730ab4aa6091b2b784a78d6a6e11ed90d13b595ea791978b5168f524bdcda3f6e3949bebcd5aebdef12146fe744a4fcaf38f72acd01f37

    • SSDEEP

      12288:tpLNxYqeb7Oppc92N/i4eAjyEVPvIjYKkJj6GmZU:FxSbIDeAjJVPv+Yb6nZ

    Score
    10/10
    • Target

      38ff89e2b1d143d1710917e87c0a53c4886ff2295aefad2646c3791882ef8669.exe

    • Size

      386KB

    • MD5

      269707a5b480393ad59d457c27fd7852

    • SHA1

      2012ea46d841d46a84966e3a46d5835ed7693061

    • SHA256

      38ff89e2b1d143d1710917e87c0a53c4886ff2295aefad2646c3791882ef8669

    • SHA512

      1a9d4d2648fd0a2998a6cf956b4e8332c07e49b0a9d0d3827db4879481daa35e21dc2ed9534cc7139fc34773b83f2a119e24fbb0a7d23a8b7b9498e1bbd802f4

    • SSDEEP

      12288:dpLNxYqeb7Oppc92N/i4eAjyEVPvIjYKkJj6GmZU:1xSbIDeAjJVPv+Yb6nZ

    Score
    10/10
    • Target

      478dc8e0fc8b3ff56407c4876674f65c57b6543e9f65680dae0f4a7c8b0decc3.exe

    • Size

      1.3MB

    • MD5

      11633d9b966df85843244a943545179a

    • SHA1

      6c123b965dde6617e487176f705b98762270b90f

    • SHA256

      478dc8e0fc8b3ff56407c4876674f65c57b6543e9f65680dae0f4a7c8b0decc3

    • SHA512

      e022765cfccfc3f72e4c16ed2b2467c5e70b7428e4ee9fd5793e59ed1fe952fd99faa90a96a9fbc6696bfaceda66ad089fe316bea446014ef306526b752e9b7c

    • SSDEEP

      24576:fqDEvCTbMWu7rQYlBQcBiT6rprG8aqcS245B8ELS:fTvC/MTQYxsWR7aqc3EL

    • Target

      4d32e2790a7a84c1cf62be213293d84087c4fa7cb53431da4a25d805f1827d12.exe

    • Size

      1.2MB

    • MD5

      40b3e1808283e5fcfe7560f5fd65e1cb

    • SHA1

      4928cbb42f3acade4a50cbb5b8696a18b685fcb4

    • SHA256

      4d32e2790a7a84c1cf62be213293d84087c4fa7cb53431da4a25d805f1827d12

    • SHA512

      d953a94db540879c958167d56231f51d1098a8edfbfb8655432a6e72bcf5ca245d8ebce19b99af42a0a87f0570010d253d027e9eb3fbd4cbb23837416c6f9d9d

    • SSDEEP

      24576:xAHnh+eWsN3skA4RV1Hom2KXMmHa5aQithqM3V1MtXW3QMl5:Ih+ZkldoPK8Ya59UhpVMm3Qe

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    • Target

      5b28ac684dfcbfc7784f1803d3d3be22d0615ca1e38c3c754266338385a10b72.exe

    • Size

      430KB

    • MD5

      7170aecee8991a5999d72a84ce581283

    • SHA1

      a82eee6ef09077dea6f9790067e2d50f2b37d6e2

    • SHA256

      5b28ac684dfcbfc7784f1803d3d3be22d0615ca1e38c3c754266338385a10b72

    • SHA512

      483cfcd41721fcfcedde5e0c5fa7d0737033ecd2c47604fc4de42c5454ff2bc8d536a246b8c32343ba3b2c4b7b683b9af754f5b63b07bdc5ea2667eb32cab580

    • SSDEEP

      12288:FVpOWY3to4Y2dXyImEe3CviyF2r2dUjYKkJj6GmZU:fpe3mz3Wi22rhYb6nZ

    Score
    10/10
    • Target

      5c41653b87a3ccb6ff8337d28ab04aac9fa62838031aa84432bfe247a3611689.exe

    • Size

      386KB

    • MD5

      9ac07e9f935b70a31f633719fb84934b

    • SHA1

      1268ab1844410f40d79762c8f241d39f3d1ca8c4

    • SHA256

      5c41653b87a3ccb6ff8337d28ab04aac9fa62838031aa84432bfe247a3611689

    • SHA512

      b06e29cdb636013a7e8fa641e06134159fcedefe8f20aec0998ba430d42930755a7fdaddbddbeef1c4d5803f851377c3fcacceee4177edd331f0bd072d57922a

    • SSDEEP

      12288:ZpLNxYqeb7Oppc92N/i4eAjyEVPvIjYKkJj6GmZU:5xSbIDeAjJVPv+Yb6nZ

    Score
    10/10
    • Target

      64f31a8fe63a882463921bb57f075f5ada1915e094af3a282fa8bca169d16487.unknown

    • Size

      6.2MB

    • MD5

      5e7f62f1d3e086b04c0f640f97140029

    • SHA1

      6e630ca526851b32a422b55b801f63632794abd6

    • SHA256

      64f31a8fe63a882463921bb57f075f5ada1915e094af3a282fa8bca169d16487

    • SHA512

      3a9401b923e38d29ccc5b82de3a7e6b05a84a88c964601a9499e06a3394ed5f8358cad485b40b7fb28ce90da32cb7fef658d0601bc5778a26381b5e4e7015eba

    • SSDEEP

      49152:SLmRUIxzmUIxzmUIxzmUIxz60w0uV8Vyw0uV8Vkw0uV8VDw0uV8VOdqwyW3BHq6D:/

    Score
    1/10

MITRE ATT&CK Enterprise v15

Tasks

static1

pdflinkagenttesladarkcloud
Score
10/10

behavioral1

Score
1/10

behavioral2

Score
1/10

behavioral3

agentteslakeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral4

agentteslakeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral5

agentteslakeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral6

agentteslakeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral7

darkcloudstealer
Score
10/10

behavioral8

darkcloudstealer
Score
10/10

behavioral9

Score
1/10

behavioral10

agentteslakeyloggerspywarestealertrojan
Score
10/10

behavioral11

guloaderlokibotcollectiondownloaderspywarestealertrojan
Score
10/10

behavioral12

guloaderlokibotcollectiondownloaderspywarestealertrojan
Score
10/10

behavioral13

Score
3/10

behavioral14

Score
3/10

behavioral15

Score
1/10

behavioral16

Score
1/10

behavioral17

Score
3/10

behavioral18

Score
3/10

behavioral19

darkcloudstealer
Score
10/10

behavioral20

darkcloudstealer
Score
10/10

behavioral21

darkcloudstealer
Score
10/10

behavioral22

darkcloudstealer
Score
10/10

behavioral23

agentteslacollectionkeyloggerspywarestealertrojan
Score
10/10

behavioral24

agentteslacollectionkeyloggerspywarestealertrojan
Score
10/10

behavioral25

agentteslakeyloggerspywarestealertrojan
Score
10/10

behavioral26

agentteslakeyloggerspywarestealertrojan
Score
10/10

behavioral27

darkcloudstealer
Score
10/10

behavioral28

darkcloudstealer
Score
10/10

behavioral29

darkcloudstealer
Score
10/10

behavioral30

darkcloudstealer
Score
10/10

behavioral31

Score
1/10

behavioral32

Score
1/10