General
-
Target
Win Quick Config.exe
-
Size
3.7MB
-
Sample
240310-vzrwvahb23
-
MD5
11a02e5a408789037713b8d54b1274c9
-
SHA1
24c31db3ff856a855e9f3b99ccfa528809537b8c
-
SHA256
3feaec930748c0217b9201c660288196dc972dddb85211224a21a282fba4650f
-
SHA512
749cfc58be6d72200df5c07155006851e265a66f6dc5edf146ece91385bf6e3dd0268a2d94c9c381a7208b1fbdd10759cd6107466a167c272640322fa7f08026
-
SSDEEP
98304:NonccIUbMpphLPEIccIUbMpphLPEUmF6L6NesezlkqXf0Fk82kBQJ:aNIUApphLJNIUApphLFy6L6NesepkSIa
Static task
static1
Behavioral task
behavioral1
Sample
Win Quick Config.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral2
Sample
Win Quick Config.exe
Resource
win11-20240221-en
Malware Config
Targets
-
-
Target
Win Quick Config.exe
-
Size
3.7MB
-
MD5
11a02e5a408789037713b8d54b1274c9
-
SHA1
24c31db3ff856a855e9f3b99ccfa528809537b8c
-
SHA256
3feaec930748c0217b9201c660288196dc972dddb85211224a21a282fba4650f
-
SHA512
749cfc58be6d72200df5c07155006851e265a66f6dc5edf146ece91385bf6e3dd0268a2d94c9c381a7208b1fbdd10759cd6107466a167c272640322fa7f08026
-
SSDEEP
98304:NonccIUbMpphLPEIccIUbMpphLPEUmF6L6NesezlkqXf0Fk82kBQJ:aNIUApphLJNIUApphLFy6L6NesepkSIa
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect Neshta payload
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
AgentTesla payload
-
Downloads MZ/PE file
-
Modifies RDP port number used by Windows
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies system executable filetype association
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Registers COM server for autorun
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Change Default File Association
1