General

  • Target

    2024-04-11-12.zip

  • Size

    1.4MB

  • Sample

    240419-kj853sda72

  • MD5

    e1ddfadee8f8d4f0211436372c8e3643

  • SHA1

    d2c7fe614d3bb068492e53aa0cdfc5d9dc13164c

  • SHA256

    02730e71f328c1db18bd641ee44c7b6f83f6b48491f46339168e13dd6ebe0e3e

  • SHA512

    eb9e3713409f4e61dfc745f81098eabcc0eb59b392869583da6a72ce8c3428a3109cc10d4728bbd4b428a127049f0dc33f8af7375035bdf38401c3379e46ac7d

  • SSDEEP

    24576:W2o5K6a2hnoSzfj7+D3x6lsRcQzoPm6KzRFbqLnG/c0q1DD6/QZk040X:W28aUoSgisSSoPm6fLG/hpMX

Malware Config

Extracted

Family

mirai

Botnet

WICKED

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    us2.smtp.mailhostbox.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    vZBznnd5

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.privateemail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    eddie101

Targets

    • Target

      334e2c89c9ee7b4522bbd263cc1fe59065d6a1a21919e11504158266bed762b8.exe

    • Size

      1.3MB

    • MD5

      26d4481358be879c74a936ae21fd125e

    • SHA1

      9b6fb5e4899a28ca77efd193a673ef4cf4d79cda

    • SHA256

      334e2c89c9ee7b4522bbd263cc1fe59065d6a1a21919e11504158266bed762b8

    • SHA512

      8f25d136919c4aa65b5c75d5ad406f98510e817901747ceef33c94f03c7fd0863d694949d2eb15608532c3d624f305cd224161cfb26da9592a2f25716fcd1861

    • SSDEEP

      24576:wAHnh+eWsN3skA4RV1Hom2KXMmHabVCjdWh/gJNdXi6K5:nh+ZkldoPK8YabgpWBgJNdy

    • Target

      4e7e2546901dc10eda0b3ec5237250129899018f3464bc33dc626952134435b9.exe

    • Size

      659KB

    • MD5

      5fe186dba01e6ee8355f8983bd13944e

    • SHA1

      b5c75991cc0e0e6baa12666691fcf38884d6abf6

    • SHA256

      4e7e2546901dc10eda0b3ec5237250129899018f3464bc33dc626952134435b9

    • SHA512

      3fcbfd546f7477d3d68f5f0b266eb493e49e6012494b00519779c4c8c80ecf67bd3074765dce94f252cd49635a1a7b3066fa2f3f4bbdfb1bca27263f36ceac25

    • SSDEEP

      12288:OcKsWWTVwiuHJBS67H77HVeHG6S7IPOixS1wx3vqzw1RgI7:GsWW5wbHJc67HvcHG97IPU+q+Rgm

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

    • Target

      c5c810beaf075f8fee52146b381b0f94a6e303fada3bce12bcc07fbfa07ba07e.exe

    • Size

      234KB

    • MD5

      dc591fd6d108b50bd9aa1f3dce2f3fe4

    • SHA1

      3fea40223c02a15678912a29147d2b32d05c46df

    • SHA256

      c5c810beaf075f8fee52146b381b0f94a6e303fada3bce12bcc07fbfa07ba07e

    • SHA512

      cb15f32184d16a718017578b869b44c2d23d76348fda0cbc9f460c4132f9fd123f06485bbcc5281812ec67f7bc17ed04a69ab0cae1636d4b2db2f45fd798a2f8

    • SSDEEP

      3072:z+ymieCL2QfOdb/TmqtbqRFP55EMX+CWQ:z+ymieCLPfOdbqq9qRFvXJW

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Matrix ATT&CK v13

Credential Access

Unsecured Credentials

8
T1552

Credentials In Files

6
T1552.001

Credentials in Registry

2
T1552.002

Collection

Data from Local System

8
T1005

Tasks