General
-
Target
857cabdf843986bade93bb6882b28bd696727e57333880dabd1666745ae27305
-
Size
510KB
-
Sample
240328-bp4m4sce6t
-
MD5
2337534b5deaa7c40784d61ad8602b08
-
SHA1
c74b04ac76a83ad77a8c570fe670ccc9a5b7dfdb
-
SHA256
857cabdf843986bade93bb6882b28bd696727e57333880dabd1666745ae27305
-
SHA512
63bccd72dd7a5f83721b65c6219254748977887b7c1920d7aa49e10f5510aa9098beae2bda9b2f9439b1fb8da41a00f9c7d33fef21c53b34fc4adb914d113951
-
SSDEEP
12288:DlbPIiKP9/FOTzcxJkXwCbnIuX4cRljTJTSUXht/rDTo:5PIRDUgIbbIuocDTo
Static task
static1
Behavioral task
behavioral1
Sample
857cabdf843986bade93bb6882b28bd696727e57333880dabd1666745ae27305.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
857cabdf843986bade93bb6882b28bd696727e57333880dabd1666745ae27305.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Grnskollingernes237/pladsholderknudes.ps1
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Grnskollingernes237/pladsholderknudes.ps1
Resource
win10v2004-20240226-en
Malware Config
Extracted
Protocol: smtp- Host:
shark.ipchina163.com - Port:
587 - Username:
[email protected] - Password:
=klKQ6APEoJ7
Extracted
agenttesla
Protocol: smtp- Host:
shark.ipchina163.com - Port:
587 - Username:
[email protected] - Password:
=klKQ6APEoJ7 - Email To:
[email protected]
Targets
-
-
Target
857cabdf843986bade93bb6882b28bd696727e57333880dabd1666745ae27305
-
Size
510KB
-
MD5
2337534b5deaa7c40784d61ad8602b08
-
SHA1
c74b04ac76a83ad77a8c570fe670ccc9a5b7dfdb
-
SHA256
857cabdf843986bade93bb6882b28bd696727e57333880dabd1666745ae27305
-
SHA512
63bccd72dd7a5f83721b65c6219254748977887b7c1920d7aa49e10f5510aa9098beae2bda9b2f9439b1fb8da41a00f9c7d33fef21c53b34fc4adb914d113951
-
SSDEEP
12288:DlbPIiKP9/FOTzcxJkXwCbnIuX4cRljTJTSUXht/rDTo:5PIRDUgIbbIuocDTo
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
Grnskollingernes237/pladsholderknudes.Fyr
-
Size
58KB
-
MD5
b727db78e2c5f3b1559e11ceef7af2fb
-
SHA1
622ee25305320a7c6c2f7e6b201d9c1204d00053
-
SHA256
07a3c1a8c29ae7eb5b17b815e3c470068313f9911bf890f58f68f43cb42f2d54
-
SHA512
19116eb53099a09bc314577f4954870ead121ee2c7818d0653973d30597abc7c9b698407583893b7171b40861aa279e5c619fbd640db9075ad4aa91fb2e62f36
-
SSDEEP
1536:5jGkMxf3C7xchyXU14f+sC+9ez04sV0TJZJ2wh9kvTEw:VA3NYR8Y4S0T/1Cgw
Score8/10-
Modifies Installed Components in the registry
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-