General
-
Target
2156082a4e28c65689e951395aa84f5fdeb8b7e8b39acb61acf80ba199af0632
-
Size
786KB
-
Sample
240408-bvgerscg37
-
MD5
2b7ce040579f182b8c63ab5984038586
-
SHA1
174b5761db55cdbf5fba447fb5772cafbcef66df
-
SHA256
2156082a4e28c65689e951395aa84f5fdeb8b7e8b39acb61acf80ba199af0632
-
SHA512
5128a2cfdb4e14def232c0819a31aec2294f2768ff31c2e6044c6d9a3627bf1067b8bb5ea8a6bba0196a69fb00f3bd84c498e6e3136eda2cbc64150207254aef
-
SSDEEP
12288:bsJvmJFUAQGEj67//rKG7Ah9SL1jdlQSBP9BYy9597IJXUxkx:IJvmrU7jjOrKG7A/G1B2SBFL59YAe
Static task
static1
Behavioral task
behavioral1
Sample
2156082a4e28c65689e951395aa84f5fdeb8b7e8b39acb61acf80ba199af0632.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
2156082a4e28c65689e951395aa84f5fdeb8b7e8b39acb61acf80ba199af0632.exe
Resource
win10v2004-20240319-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
Armeringen/Indlsningers/Viewably.ps1
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
Armeringen/Indlsningers/Viewably.ps1
Resource
win10v2004-20240226-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.liyemacp.co.za - Port:
587 - Username:
[email protected] - Password:
JKFBWEcwcwe3 - Email To:
[email protected]
Targets
-
-
Target
2156082a4e28c65689e951395aa84f5fdeb8b7e8b39acb61acf80ba199af0632
-
Size
786KB
-
MD5
2b7ce040579f182b8c63ab5984038586
-
SHA1
174b5761db55cdbf5fba447fb5772cafbcef66df
-
SHA256
2156082a4e28c65689e951395aa84f5fdeb8b7e8b39acb61acf80ba199af0632
-
SHA512
5128a2cfdb4e14def232c0819a31aec2294f2768ff31c2e6044c6d9a3627bf1067b8bb5ea8a6bba0196a69fb00f3bd84c498e6e3136eda2cbc64150207254aef
-
SSDEEP
12288:bsJvmJFUAQGEj67//rKG7Ah9SL1jdlQSBP9BYy9597IJXUxkx:IJvmrU7jjOrKG7A/G1B2SBFL59YAe
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
$PLUGINSDIR/nsExec.dll
-
Size
6KB
-
MD5
ac0f93b2dec82e9579bff14c8572a6c8
-
SHA1
6460244317cbb77e342adb3561ec3acb496c84d5
-
SHA256
3aa8e0abadefea2de58281198acfe48713a1d5b43aea5619f563cea098e9fd34
-
SHA512
8055a6af150c45547927499f9cbf645d7f39c8e4f9caff4726fd711d2401abca01a79837095e5752b9f57b06446973ea6506796f2223bdb0179243d6e0575bd2
-
SSDEEP
96:5OBtEB2flLkatAthPZJoi9jpfW/er6cBbcB/NFyVOHd0+u3wEX:5hB2flXAVJtjf6cBbcB/N8Ved0PJ
Score3/10 -
-
-
Target
Armeringen/Indlsningers/Viewably.Luk
-
Size
58KB
-
MD5
fa9fdfd55bab2c911783336c208665af
-
SHA1
f7f4cdedc334a1050c0e8f649c085275d633ff7e
-
SHA256
71671a408be5c07d907a66acbc416ed5a94b3b6b98ec043d615b9dad8bd27d39
-
SHA512
464da697cee044bb412da4fd418081016fc5735957ad74788ce3508b1da531a07b5bd0abbc641de3f96222e866d6343d70c267e30ab472844b9efde0a0d5df8a
-
SSDEEP
768:MKqRiafua4vlHYPgXRHV4gZ6RX/LhfvIsIp5+qkQH9kNcGGmL7UE3qkSrU24MeC0:6iaqlTXi/LhzIe9cG5EciU24IJdIoiau
Score8/10-
Modifies Installed Components in the registry
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-