Overview

overview

10

Static

static

3

SecuriteIn...24.exe

windows7-x64

6

SecuriteIn...24.exe

windows10-2004-x64

10

Resubmissions

21-05-2024 10:56

240521-m1yrsaah95 10

17-05-2024 09:33

240517-lh8nlabg6x 10

17-05-2024 09:25

240517-ldlchabh35 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe

  • Size

    1.1MB

  • Sample

    240517-lh8nlabg6x

  • MD5

    ab8be64fd575f219a2ff48c82eeebf81

  • SHA1

    af39348f99e58dc93a79fdb66e51f73f135a4a4b

  • SHA256

    51e3e221774cbf9c557325fdf05fae962db239979cf28694c83170b1c9963c6a

  • SHA512

    4c014e1578bf1b1f9f294c204f0717f80ed8ed798ed5551cae389bdc943ded559936069f2d0cf3cc6fdf501c3a84309773463a06bc7995682068f7d1ecaf8a42

  • SSDEEP

    24576:b6G5oq6WlY5EQJbBCt598PkfzGwWPEXyqc:bPQrJChIP1q

Score
10/10
agentteslaremcosremotehostmicrosoftcollectionkeyloggerpersistencephishingratspywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.zoho.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    IDMzp2Gy8uh9

Extracted

Family

remcos

Botnet

RemoteHost

C2

timeisnow.duckdns.org:4343

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-6P097R

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    5

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe

    • Size

      1.1MB

    • MD5

      ab8be64fd575f219a2ff48c82eeebf81

    • SHA1

      af39348f99e58dc93a79fdb66e51f73f135a4a4b

    • SHA256

      51e3e221774cbf9c557325fdf05fae962db239979cf28694c83170b1c9963c6a

    • SHA512

      4c014e1578bf1b1f9f294c204f0717f80ed8ed798ed5551cae389bdc943ded559936069f2d0cf3cc6fdf501c3a84309773463a06bc7995682068f7d1ecaf8a42

    • SSDEEP

      24576:b6G5oq6WlY5EQJbBCt598PkfzGwWPEXyqc:bPQrJChIP1q

    Score
    10/10
    persistenceagentteslaremcosremotehostmicrosoftcollectionkeyloggerphishingratspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook accounts

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Detected potential entity reuse from brand microsoft.

      phishingmicrosoft

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks