General
-
Target
b555b98abe8eb8f9e9f240fdb22070df16680e8864a6d93549a8288f57bff5c7
-
Size
3.2MB
-
Sample
240424-bp6gpsdf32
-
MD5
085ebb577d4392f3951592da1e78689e
-
SHA1
d765cca25fb9d7519313ad1e07d3909b3c0f82a7
-
SHA256
b555b98abe8eb8f9e9f240fdb22070df16680e8864a6d93549a8288f57bff5c7
-
SHA512
8f351ad99cf5866de27f0f7168f0f79f704a1c5aebde8880b10aaf07727893f418001e70a3072fedefe4c736fece50c155dd3b46be1117cd9151e4e80c33a7db
-
SSDEEP
98304:fHd/1gLeEz8PgPRMPMoGePXy+OutxPnLaMg:Dg1PMPX9PiHkxP2Mg
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.saleo-gomel.by - Port:
587 - Username:
[email protected] - Password:
Q_gidroadmin_2014 - Email To:
[email protected]
Extracted
Protocol: smtp- Host:
mail.saleo-gomel.by - Port:
587 - Username:
[email protected] - Password:
Q_gidroadmin_2014
Extracted
mirai
spagetti.openproxylist.info
Targets
-
-
Target
04995df8cbeb0877d5721b8edecaf7d48154b17f8d0bfa61860beba48e30e0e2.exe
-
Size
701KB
-
MD5
190da3f2954e4c817a3ee720d5bf10f7
-
SHA1
1bc2d3f6661de4653dc05f7d36cb53810be8b136
-
SHA256
04995df8cbeb0877d5721b8edecaf7d48154b17f8d0bfa61860beba48e30e0e2
-
SHA512
7864e1ade3fa97c79565b8b464eec5eb8afe54b51fc38417dcbb2922bc0e55e05fb1cd3f84ec4fd0aed2cbbfc32ddce6ddbf370744c1dca01b052e464039330e
-
SSDEEP
12288:1kVE996u+hbON8WBzdgeb4kjklEn8lLVJLy9dnJDHOWFy:sEP6n0hzdgebD4P+9tJDNy
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
14b162eed3f3f592b5bb6b6b86e817a81834301ce1fe3500a7c328e041a81f66.elf
-
Size
56KB
-
MD5
4a4918771d934ff309164274607c2205
-
SHA1
322f493d728a7129d62226c79f460ac5db371c36
-
SHA256
14b162eed3f3f592b5bb6b6b86e817a81834301ce1fe3500a7c328e041a81f66
-
SHA512
53a8ff980e952b16a38f8bf60e1aad7ef0db880e91e67c80a9a0de44e6df00817a083b409f4922fb9e6e35828994514d059f9461e261d7f486bee389a6d8417c
-
SSDEEP
1536:JXJd/HuM7TaI2eSYZffwlmwubPXzpyQvVwRUL0ztn56TrT/XD:BJxnP2eSI3wkwopdVwRUL0ztnwnLD
Score1/10 -
-
-
Target
2cba66d97b8af051072417ad7267c9f56f8f74eca98a5e5bf5d7ddc894249ad8.exe
-
Size
852KB
-
MD5
15f196c8858b2d1475159aec13f4fb32
-
SHA1
2b11a170e73e552b1899911257e0414b81660e61
-
SHA256
2cba66d97b8af051072417ad7267c9f56f8f74eca98a5e5bf5d7ddc894249ad8
-
SHA512
ab4d5f10202038712ca2e81fd78dbc89fe96b8a23e2bd442ad22b1d658b5520a8a63243966abbf30803cee7a6104f55dad10f63714db170cb07d4e01fa12fe7d
-
SSDEEP
24576:25hHMCcDBudIWS+FgLYrD5jxX7jaE1P1q:ahHXG8hS+FICLj8
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
2f84a18564ad0853e8c4853a610c42df170a3c0e50316ad65931201a727ff9bc.elf
-
Size
31KB
-
MD5
b27eeb84b54c3cbbefd7eed086097c86
-
SHA1
b8b1c4f53e531a867d95aac5c87dd577cfa81799
-
SHA256
2f84a18564ad0853e8c4853a610c42df170a3c0e50316ad65931201a727ff9bc
-
SHA512
25bf88566b537e61e0b567c61b66898f901c268c407d304f555bc2039355b5e13c1deaa02e02feb70cb5778bfcf8b693f6551e17f7450b69ea157480bcd735a7
-
SSDEEP
768:gjbVGaxbvqj/XGzTDuq53BLU6IauljrKEToAks3UozQ:gjBq/2zTXrLIjj8ABzQ
Score1/10 -
-
-
Target
620c15ed6f68b42d2a3b708c340d9ccff7a9217f49ff11effabad58821c7c08a.elf
-
Size
29KB
-
MD5
d15e0d59fb573bd3fed0126bf434b982
-
SHA1
01a748696ac1eb2b85a8297ead29af408ef3f017
-
SHA256
620c15ed6f68b42d2a3b708c340d9ccff7a9217f49ff11effabad58821c7c08a
-
SHA512
983d42704a79f664d44c6712bb8dc608a29a96cf1b0211dd9c4cc6a7ccd59c04c10f57a077033ca53df08cde90efe11957ee721c4d4a5388c27a695dc31ae7d0
-
SSDEEP
768:5KpROfidrsa6Uq4sn9Fp1Sr+OqDUM8sH9o+eI:5Kpk6doaxun0+OqD/8s2+V
Score10/10-
Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
-
Deletes itself
-
Modifies Watchdog functionality
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
-
Traces itself
Traces itself to prevent debugging attempts
-
Writes file to system bin folder
-
-
-
Target
623f93cf915a4c7e840b51e912221354507f169f6f95121324b4018e33d0d5c8.wsf
-
Size
55KB
-
MD5
6d2058cda28b4285006c69ce86422b00
-
SHA1
e438dc30c51de576537c87eb60d2c3a656f41687
-
SHA256
623f93cf915a4c7e840b51e912221354507f169f6f95121324b4018e33d0d5c8
-
SHA512
67a50f0e2ea180f5acd2de2467a52161c29b91040f56c1acc8a4c31dc4d6000c3cf7b93252a7df2d38b747b7c689570b988ee3f9371c44267dba7388c48e9701
-
SSDEEP
768:YXf54p2p/fwNaKj7gHrI0i3wPDPM+A0s2hyOX0Q4afFysrmUYAYB8nq7r/Iaw0FU:Yx9ukLI1gPDPTxyk0MfFCNqngIaweU
Score8/10-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
-
-
Target
70932cac7130ce1561e74c534ba8db2589880a9858bd5b1de4683745576d1b1a.elf
-
Size
59KB
-
MD5
09a461ceb48ed902e5d9c22ea5692943
-
SHA1
e77f355d1ed30f6d5e7eedfb0dd89bc96056c08a
-
SHA256
70932cac7130ce1561e74c534ba8db2589880a9858bd5b1de4683745576d1b1a
-
SHA512
678f29b911b562f487794f07d56a2167f7825e7301c04d0bee1217d1034de4dd36046830555745b6122fc15591bd5c801ad7d61590817ce34b2ec8b01caa1f16
-
SSDEEP
768:8YBgs2VF9NFitelxSUWru4fNDpHeGXfO+ybDgVNIhIxeC+rs+4cqbJ6lftm6bEUO:6LiWSZruIoJJtpaP7u/aTvotJDvt
Score1/10 -
-
-
Target
CAHKHCM2404009CFS.exe
-
Size
852KB
-
MD5
15f196c8858b2d1475159aec13f4fb32
-
SHA1
2b11a170e73e552b1899911257e0414b81660e61
-
SHA256
2cba66d97b8af051072417ad7267c9f56f8f74eca98a5e5bf5d7ddc894249ad8
-
SHA512
ab4d5f10202038712ca2e81fd78dbc89fe96b8a23e2bd442ad22b1d658b5520a8a63243966abbf30803cee7a6104f55dad10f63714db170cb07d4e01fa12fe7d
-
SSDEEP
24576:25hHMCcDBudIWS+FgLYrD5jxX7jaE1P1q:ahHXG8hS+FICLj8
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
a552331bbed7ca8a92633b6fcac504884d8a7bc54ce60618dd936f4aa8625560.elf
-
Size
54KB
-
MD5
a3f694379bc9b8147d862cd7a57f3b1a
-
SHA1
a31790391ade668346d6979c65943773fd90555e
-
SHA256
a552331bbed7ca8a92633b6fcac504884d8a7bc54ce60618dd936f4aa8625560
-
SHA512
f14cde76efa44fcec825ea8484a5e258568d55493d16c80eb97818f92916e6a7be3e0e0196361c6488f7759d8096730ce698033c7e96b027af9cf41381861059
-
SSDEEP
768:/QgRhU/v00xWDzhluvag0RCdxe77us+bvK8f06Z9krq0ucz3TkBqIW:EWDNlyazRCXevuLK8f0frq0uH0
Score9/10-
Contacts a large (237775) amount of remote hosts
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows
This may indicate a network scan to discover remotely running services.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
-
-
Target
b9d1e862b5f864aab90e418632cf973132a4b4cbe4044b1fb997d9dfbd7ad0f4.exe
-
Size
1.1MB
-
MD5
a0e9d68e9a8541eb30d6a31cae4a942b
-
SHA1
3cae987132d7f45df56f77c1ff2a542cb64e64c0
-
SHA256
b9d1e862b5f864aab90e418632cf973132a4b4cbe4044b1fb997d9dfbd7ad0f4
-
SHA512
eebfe98652f6b7dffb7e57bdd73c80c073f0f1879ee8a86c17054e1e1ecc3bf5dcec66b4619944659b9038ecfca19254fec0cb60c5264d905382acc8fb0ea03a
-
SSDEEP
24576:c0vvQvOM6sjFYk6IuhdTuvMJbmhQU/YydIE5Ltp:clvpN2zuvMxmhB/Ylyp
Score10/10-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Adds Run key to start application
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
Michelines.All
-
Size
56KB
-
MD5
82340892cba1f6e4faaa080bb634cf9c
-
SHA1
56b029cbcada747897e9beff7c8f1013b8c9b6ce
-
SHA256
a03bb54517df231824d324ad20b79094efef9af20eff855e30a6f459bcc43912
-
SHA512
dfea5297d9aef9004af38f8604e74313f99d477199e797dbeec5367ec3e6c0000a4c62eeab54425deee14de5b1adb224f09956a10619cf03b821b2b91b84f5c7
-
SSDEEP
1536:aY1v3JTUB3Z1un5G97KwaJx8NIodV4kIj+1S78:auBUEnY7za0NIMa+k8
Score8/10-
Modifies Installed Components in the registry
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
f601a6e5b8d78c1f32dbf5fe2cd18cee7ac598cd35fb7aba60526f4df95271bc.elf
-
Size
52KB
-
MD5
132dcf4085f03bbde2db0212febc839b
-
SHA1
c1a666122eebef75969d77f5b44221551f021b6c
-
SHA256
f601a6e5b8d78c1f32dbf5fe2cd18cee7ac598cd35fb7aba60526f4df95271bc
-
SHA512
52f658e9baa2df4a8b37fa6483886674c838a7e411e5eee03de9f8d917ea87842280d1594c7684e19f850d0519c55e4dee50e868f7de7be9a2152994ee445a44
-
SSDEEP
768:yUS3LZKF1NYoeLMfl3q3Eg+Sz1QBGTnE4FV9T3GEUF2vtaM9o6ZDtDRvy2g:yz38Fnda3Eg+oE4FvhGlQRo2g
Score1/10 -
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Hijack Execution Flow
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Hijack Execution Flow
1Scheduled Task/Job
1Credential Access
Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1