General
-
Target
616441c74c95a52ec38217d221e79cee12ec87dc0e7276059b5be1274382dd5a.exe
-
Size
1.4MB
-
Sample
240523-bzerqsgg5y
-
MD5
a7afb929a4be723fd2c352dad4197c6c
-
SHA1
1357ae925d422ba0b98f14322e73de0cf88e6903
-
SHA256
616441c74c95a52ec38217d221e79cee12ec87dc0e7276059b5be1274382dd5a
-
SHA512
418fde024c04c7e17391d325f06eb0ff6b1ac3bda83e333749e824746688549972eab1a32799a78c24ed6c0df83369536c6d00a4d7b42e503a5c9bdb016e7d7f
-
SSDEEP
24576:yn25nPkW3amy8sQxeWcktTjbJ4/auDyEEEEEEEEEEEEEEEEEEEETKKKKKKKKKKKr:yn2kGy7wTjbq/DyEEEEEEEEEEEEEEEEm
Malware Config
Extracted
Protocol: ftp- Host:
ftp.rusticpensiune.ro - Port:
21 - Username:
[email protected] - Password:
99AM}+NZ&CCq!4Vq)9!(zXx01.lQ!~nS.fBnY,4Z~fjHnGo*B3Gd;B{Q1!%-Xw--%vn^0%nt
Targets
-
-
Target
616441c74c95a52ec38217d221e79cee12ec87dc0e7276059b5be1274382dd5a.exe
-
Size
1.4MB
-
MD5
a7afb929a4be723fd2c352dad4197c6c
-
SHA1
1357ae925d422ba0b98f14322e73de0cf88e6903
-
SHA256
616441c74c95a52ec38217d221e79cee12ec87dc0e7276059b5be1274382dd5a
-
SHA512
418fde024c04c7e17391d325f06eb0ff6b1ac3bda83e333749e824746688549972eab1a32799a78c24ed6c0df83369536c6d00a4d7b42e503a5c9bdb016e7d7f
-
SSDEEP
24576:yn25nPkW3amy8sQxeWcktTjbJ4/auDyEEEEEEEEEEEEEEEEEEEETKKKKKKKKKKKr:yn2kGy7wTjbq/DyEEEEEEEEEEEEEEEEm
Score10/10-
Detect packed .NET executables. Mostly AgentTeslaV4.
-
Executes dropped EXE
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext
-