General
-
Target
2a0620b58f5efd4de19f069d071c16d0abe4023da27067ffc1ce379c8f2ea669
-
Size
681KB
-
Sample
240326-bq9whsbc48
-
MD5
860b9067335d433b623a3462220c28dc
-
SHA1
86864b5c5828f3dccd05fc1589708d5d191dbbaa
-
SHA256
2a0620b58f5efd4de19f069d071c16d0abe4023da27067ffc1ce379c8f2ea669
-
SHA512
61f254450638755b48344b4385d8b6ae46451e2365327edf1be1009782db5e87b3bea4cb608387fb1f220ae9408130f61aa532ec7e40544ad3a616a3db6e7040
-
SSDEEP
12288:GXbLwUW7q3rIVWvsXR1sHXwRffux01/MHHoMxJfyu4hK:WbJCirXsh1IwRffuQSoMxcxK
Static task
static1
Behavioral task
behavioral1
Sample
2a0620b58f5efd4de19f069d071c16d0abe4023da27067ffc1ce379c8f2ea669.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2a0620b58f5efd4de19f069d071c16d0abe4023da27067ffc1ce379c8f2ea669.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
$WINDIR/ventrodorsally/tilslutningsklare.ps1
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$WINDIR/ventrodorsally/tilslutningsklare.ps1
Resource
win10v2004-20240319-en
Malware Config
Extracted
Protocol: smtp- Host:
shark.ipchina163.com - Port:
587 - Username:
[email protected] - Password:
jmgL01XJb+IK
Extracted
agenttesla
Protocol: smtp- Host:
shark.ipchina163.com - Port:
587 - Username:
[email protected] - Password:
jmgL01XJb+IK - Email To:
[email protected]
Targets
-
-
Target
2a0620b58f5efd4de19f069d071c16d0abe4023da27067ffc1ce379c8f2ea669
-
Size
681KB
-
MD5
860b9067335d433b623a3462220c28dc
-
SHA1
86864b5c5828f3dccd05fc1589708d5d191dbbaa
-
SHA256
2a0620b58f5efd4de19f069d071c16d0abe4023da27067ffc1ce379c8f2ea669
-
SHA512
61f254450638755b48344b4385d8b6ae46451e2365327edf1be1009782db5e87b3bea4cb608387fb1f220ae9408130f61aa532ec7e40544ad3a616a3db6e7040
-
SSDEEP
12288:GXbLwUW7q3rIVWvsXR1sHXwRffux01/MHHoMxJfyu4hK:WbJCirXsh1IwRffuQSoMxcxK
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
$WINDIR/ventrodorsally/tilslutningsklare.Phe
-
Size
58KB
-
MD5
64a1c85f036343ee0cd9e994aa9ac45f
-
SHA1
dff7c8f201ed0616c23a0a6b9eb59cd2af2db85c
-
SHA256
adfd2e99dbcc97e8b47ff1198f3ae372672354e4c01a0af3508575338531aaaa
-
SHA512
5eedc49cf6c2a84c12117ccec4b5f282fead731311ac317fa9d3b016a26930a58278adcef1850692127eabbc56fb810fbd3129d99b9b0250079c4086e1c83e86
-
SSDEEP
1536:5PyYVd6mqeUBmB7TQri0DGRfNhrrNqYbjazOv3+SLk9n:5xd6WUBqlr8AjDtLk9n
Score8/10-
Modifies Installed Components in the registry
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-