General
-
Target
027545e09f397707e98abf5c192c35e5b01a51a74edc2070b9f950140b5c3ef2
-
Size
555KB
-
Sample
240329-bzkyraef32
-
MD5
99b3c84d119b8d3173aa52f40871a090
-
SHA1
029c6d4d7f5509bed4fe65e2ee961c058d896a61
-
SHA256
027545e09f397707e98abf5c192c35e5b01a51a74edc2070b9f950140b5c3ef2
-
SHA512
f7e1bd7e12d6e34deb0c40bd4bdc4b69c6fc7d43feb8671212eb8ac588a3d1e26922be5edb7d28997b088f5e3bbea72b61e98cb160c7288f18e0b1ae10302448
-
SSDEEP
12288:ZCcSi/icxi33VLqAdQqW8sHPS9ojrO+HTG07rS:ZoiKainVPdQBSuGyG0K
Static task
static1
Behavioral task
behavioral1
Sample
027545e09f397707e98abf5c192c35e5b01a51a74edc2070b9f950140b5c3ef2.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
027545e09f397707e98abf5c192c35e5b01a51a74edc2070b9f950140b5c3ef2.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
Overstretch/Automobilfirmaers/Natchezan/Outreckon.ps1
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
Overstretch/Automobilfirmaers/Natchezan/Outreckon.ps1
Resource
win10v2004-20240226-en
Malware Config
Extracted
Protocol: smtp- Host:
mail.legodimo.co.za - Port:
587 - Username:
[email protected] - Password:
IFfo%142#
Extracted
agenttesla
Protocol: smtp- Host:
mail.legodimo.co.za - Port:
587 - Username:
[email protected] - Password:
IFfo%142# - Email To:
[email protected]
Targets
-
-
Target
027545e09f397707e98abf5c192c35e5b01a51a74edc2070b9f950140b5c3ef2
-
Size
555KB
-
MD5
99b3c84d119b8d3173aa52f40871a090
-
SHA1
029c6d4d7f5509bed4fe65e2ee961c058d896a61
-
SHA256
027545e09f397707e98abf5c192c35e5b01a51a74edc2070b9f950140b5c3ef2
-
SHA512
f7e1bd7e12d6e34deb0c40bd4bdc4b69c6fc7d43feb8671212eb8ac588a3d1e26922be5edb7d28997b088f5e3bbea72b61e98cb160c7288f18e0b1ae10302448
-
SSDEEP
12288:ZCcSi/icxi33VLqAdQqW8sHPS9ojrO+HTG07rS:ZoiKainVPdQBSuGyG0K
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
$PLUGINSDIR/nsExec.dll
-
Size
6KB
-
MD5
51e63a9c5d6d230ef1c421b2eccd45dc
-
SHA1
c499cdad5c613d71ed3f7e93360f1bbc5748c45d
-
SHA256
cd8496a3802378391ec425dec424a14f5d30e242f192ec4eb022d767f9a2480f
-
SHA512
c23d713c3c834b3397c2a199490aed28f28d21f5781205c24df5e1e32365985c8a55be58f06979df09222740ffa51f4da764ebc3d912cd0c9d56ab6a33cab522
-
SSDEEP
96:W7GUaYNwCLuGFctpiKFlYJ8hH4RVHpwdEeY3kRlDr6dMqqyVgN738:Iygp3FcHi0xhYMR8dMqJVgN
Score3/10 -
-
-
Target
Overstretch/Automobilfirmaers/Natchezan/Outreckon.Sty
-
Size
55KB
-
MD5
85bee3407dc99a55d809e31f5b8822f3
-
SHA1
898e5873998c61dc48e6a01e43ba667f9a70f571
-
SHA256
2afd7f567beb13e65577a1d2ee4d6a161c4a1b01cb154c7129846d7ed74ad0c0
-
SHA512
06140520fedab28d7a982dc0d1563aed53b59a943131ed58cff405620c412e63f9dd7019661677bd562bd8813a09613b0e1f44752b983e953eef891af4941587
-
SSDEEP
1536:z9Ie8eKpSG2o84eXnjC0TcpW+acHuDuqSTd+1:zee8Bv87DcTuSqX1
Score8/10-
Modifies Installed Components in the registry
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-