General
-
Target
c2fbfeaae8323cc8ca88ab7e7d2a80f4389d7d77870b560e9959fedee8b23827
-
Size
87KB
-
Sample
240406-bpad9sgh46
-
MD5
54e3c76747e04cf98283167390e3f123
-
SHA1
a3addc3808226149381201bb24926fb8cbfff167
-
SHA256
c2fbfeaae8323cc8ca88ab7e7d2a80f4389d7d77870b560e9959fedee8b23827
-
SHA512
576c959e486aa3b4a7f3902b27f29da9eb467b8339514f00e2fc9c83c0302b62b7778457fb54043a76e7530437836822ea7e4950b10e7783a8cd06666fd1052e
-
SSDEEP
1536:oLQAJg6/L6iFQzXblXAorYfwJcxSTlWoJl0ovJvWR4jmft2Ib7ADUzqbD3htV:OJgsL66ykDxSTlWoJl0ovJvWR46fJb7m
Behavioral task
behavioral1
Sample
c2fbfeaae8323cc8ca88ab7e7d2a80f4389d7d77870b560e9959fedee8b23827.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
c2fbfeaae8323cc8ca88ab7e7d2a80f4389d7d77870b560e9959fedee8b23827.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
purecrypter
http://213.199.41.33/rw/Lftspwf.pdf
Extracted
agenttesla
Protocol: smtp- Host:
66.29.151.236 - Port:
587 - Username:
[email protected] - Password:
KSN9T9fAXAWh - Email To:
[email protected]
Extracted
xworm
5.0
91.92.241.169:5353
XctZl0l6I2mIgS0k
-
install_file
USB.exe
-
telegram
https://api.telegram.org/bot5987023205:AAFlvwKv3zD3wQ2CQAewIB6uU95uBQ25ip0/sendMessage?chat_id=5202962680
Extracted
Protocol: smtp- Host:
66.29.151.236 - Port:
587 - Username:
[email protected] - Password:
KSN9T9fAXAWh
Targets
-
-
Target
c2fbfeaae8323cc8ca88ab7e7d2a80f4389d7d77870b560e9959fedee8b23827
-
Size
87KB
-
MD5
54e3c76747e04cf98283167390e3f123
-
SHA1
a3addc3808226149381201bb24926fb8cbfff167
-
SHA256
c2fbfeaae8323cc8ca88ab7e7d2a80f4389d7d77870b560e9959fedee8b23827
-
SHA512
576c959e486aa3b4a7f3902b27f29da9eb467b8339514f00e2fc9c83c0302b62b7778457fb54043a76e7530437836822ea7e4950b10e7783a8cd06666fd1052e
-
SSDEEP
1536:oLQAJg6/L6iFQzXblXAorYfwJcxSTlWoJl0ovJvWR4jmft2Ib7ADUzqbD3htV:OJgsL66ykDxSTlWoJl0ovJvWR46fJb7m
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect Xworm Payload
-
Detect ZGRat V1
-
PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-