General
-
Target
85e44c6e99f5f4043fc2c993b6fa633b_JaffaCakes118
-
Size
5.4MB
-
Sample
240402-hzh8gsbb65
-
MD5
85e44c6e99f5f4043fc2c993b6fa633b
-
SHA1
21b3e0a10dd9798ef71fe073cdad7cfdadbfdeae
-
SHA256
62fab79e945bc629c110f21c9db37c8c0cc441ad15e73c1c1349fbef986b3789
-
SHA512
7c2f7183d40ac7bab91fa1a572c625e38e8f7ec848d54b7a937b6a33acc5868df3af72ae3a6187e8720303ff7aa7d00e7895ff77adfd504d8b394dacb34d30ff
-
SSDEEP
1536:U9I0i/p6qP3NUUSQryt/H7brkIYtppz5h5Z5S5k5+5L5XEYEpEz5d5zE/EVE/E/A:U94
Static task
static1
Behavioral task
behavioral1
Sample
85e44c6e99f5f4043fc2c993b6fa633b_JaffaCakes118.lnk
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
85e44c6e99f5f4043fc2c993b6fa633b_JaffaCakes118.lnk
Resource
win10v2004-20240226-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.abaamap.com.mx - Port:
587 - Username:
info@abaamap.com.mx - Password:
)I#!TlzV9@Kk
Extracted
formbook
4.1
en
fortezza.tours
unicornoptical.com
freezeframegame.com
osocrossfit.com
cutass.com
zhongrisk.com
seasandoman.com
global-care-recruiting.info
whenwesaywehaveitwedo.com
mithlapainting.com
sandringhamdarlington.net
futurevalleycontracting.com
goochandhousego.pro
valentindimitrov.com
maple-events.com
yourcreditchoice.com
virginity.bid
electricindians.com
intlgcap.com
ternionathletics.com
careymillersells.com
xn--sh5b25a34h.site
aadetermatology.com
bobosugar.com
flamingflavor.com
diamantverkauf.com
vicdux.network
colonhydrotherapyphila.com
darrenwongproperties.com
loisechly.com
mevlanaspot.com
erasethenegative.com
portaltonepal.com
portlandbuyback.com
academyofpods.com
birdofwisdom.com
littlehousenursery.com
xizled.com
betrayk.com
otisaffiliates.com
soyinyue.com
yourtownwebsite.com
three-rebels.com
gaso3.com
dreamcricketers.com
radiovtochq.com
pyrosoftgaming.com
uswebrootcosafe.com
zhongyingshangcheng.com
builtforthegreen.com
letskillracism.com
radishmehealthy.com
surferfin.com
preownedjamesavery.com
bestpottywatch.com
malwinamakeupartist.com
casino-players.com
emilyduffin.com
amiracle2remember.com
stevejackson2020.com
attenutechusa.net
gmslebanon.com
bostae.net
rangefish.com
alliancefb.com
Targets
-
-
Target
85e44c6e99f5f4043fc2c993b6fa633b_JaffaCakes118
-
Size
5.4MB
-
MD5
85e44c6e99f5f4043fc2c993b6fa633b
-
SHA1
21b3e0a10dd9798ef71fe073cdad7cfdadbfdeae
-
SHA256
62fab79e945bc629c110f21c9db37c8c0cc441ad15e73c1c1349fbef986b3789
-
SHA512
7c2f7183d40ac7bab91fa1a572c625e38e8f7ec848d54b7a937b6a33acc5868df3af72ae3a6187e8720303ff7aa7d00e7895ff77adfd504d8b394dacb34d30ff
-
SSDEEP
1536:U9I0i/p6qP3NUUSQryt/H7brkIYtppz5h5Z5S5k5+5L5XEYEpEz5d5zE/EVE/E/A:U94
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload
-
Formbook payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-