General
-
Target
b7a0650b0c735306e905d5f11a676a63bfa193ee6befef519d890dc4197b76c7
-
Size
556KB
-
Sample
240326-bs3j8abc64
-
MD5
5ad4304f5339ad1ef6517bc8a98e77a0
-
SHA1
231ff64e77b60ea34dde49a9ae220124c8232084
-
SHA256
b7a0650b0c735306e905d5f11a676a63bfa193ee6befef519d890dc4197b76c7
-
SHA512
a357d8b9b31cbc1148d424e98bec21c27e9a6fb4cf4f61159bd90051e608a511a3227651b271d03fd83513499bb92adffb741dc2f1a17896f4812aaf38e40e47
-
SSDEEP
12288:XRpErqjRdFy/8hqQu9RSFwmQY/iIfu+OJEsJLggzOdB/:I/y+Z/Y6GuLJEqMgzOdR
Static task
static1
Behavioral task
behavioral1
Sample
navda_br-_700611_-_C.E.F.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
navda_br-_700611_-_C.E.F.exe
Resource
win10v2004-20240319-en
Behavioral task
behavioral3
Sample
Raskmeldingen/Skibsrederier249/Prezone.ps1
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Raskmeldingen/Skibsrederier249/Prezone.ps1
Resource
win10v2004-20240226-en
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot7067189439:AAGiycb7fUr8kAg9CwwJdg2FmcjxTPM4QdE/
Targets
-
-
Target
navda_br-_700611_-_C.E.F.exe
-
Size
666KB
-
MD5
488f7c46fd3b3068282b18b18e964623
-
SHA1
d37bbb31a49e3f2a822439dc60750389520a3e70
-
SHA256
36dc6d69051881463f748304e078d41ae15599020eead2297881826113321022
-
SHA512
a6ff8d7f5a9d63d6dede1c09de8f45f77948b0be2330b88c9e55c5d851d5a7afd297c7481f5483695681379c989107b0aec6aa9e630de9123acf89deca9bdcad
-
SSDEEP
12288:FLTA8PHO5mU0It6TIhEQIJtuFmCQYziILm+OD5+I3/:9TA8PO5mU16T+YFTYOOmLD3
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
Raskmeldingen/Skibsrederier249/Prezone.Lge
-
Size
58KB
-
MD5
d9c5f2e8ea0f8260741b494f3df7e200
-
SHA1
a833e08e3fafe2bf44c05bbcf69b1b9c76552682
-
SHA256
0c607fc96e393946eee8c2f79da678e2d91744a931286e8fa9bdd7909b9e5f6e
-
SHA512
09f4e7a2a7686e5bcdd8e333f8572fac2423ba5f991407d127d2183119fcbb4a157e6c856305106f4e09235b40840c6b4183ab40000073248016395198eb6df6
-
SSDEEP
1536:3kXcwGyxS/JUMb2YvsTzywLR/SjPCnS4yqxZejyPjZVCZlr:3kXcWxS2M+g6XxXyr
Score8/10-
Modifies Installed Components in the registry
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1