General
-
Target
Conferma di pagamento 003949900.img
-
Size
1.2MB
-
Sample
240530-rcyt4acb63
-
MD5
e3d9f9ca702eaf1dda45737e3d6d3657
-
SHA1
99f1ddd6fe6c752a42a785b73f5083adaeaf359f
-
SHA256
9b592f561c9b16240b9d95a1606cef69476296ac01cf8c52b7f175bc0fe65b99
-
SHA512
c2897b5f2b6fdbb58377dae911d64215c1670a4f6a6af08ee808f0352ec2a8a25c16a631a7b64f7dd74ff5d75d8b12a6ae05628c8e3d0d7ccd35cd5d4e8ec8d6
-
SSDEEP
6144:h//I2y3VKIo8oJwO9qJCVTaTb7XqjfTundGKNPZ2QSKkdKwYklIPCBzrlFLqktmD:dvdsolqcQb7wfTuAuPMplp3IXj
Static task
static1
Behavioral task
behavioral1
Sample
Conferma di pagamento 003949900.iso
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Conferma di pagamento 003949900.iso
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
Conferma di pagamento 003949900.exe
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
Conferma di pagamento 003949900.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240508-en
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.atisceramiche.it - Port:
21 - Username:
[email protected] - Password:
boygirl123456
Targets
-
-
Target
Conferma di pagamento 003949900.img
-
Size
1.2MB
-
MD5
e3d9f9ca702eaf1dda45737e3d6d3657
-
SHA1
99f1ddd6fe6c752a42a785b73f5083adaeaf359f
-
SHA256
9b592f561c9b16240b9d95a1606cef69476296ac01cf8c52b7f175bc0fe65b99
-
SHA512
c2897b5f2b6fdbb58377dae911d64215c1670a4f6a6af08ee808f0352ec2a8a25c16a631a7b64f7dd74ff5d75d8b12a6ae05628c8e3d0d7ccd35cd5d4e8ec8d6
-
SSDEEP
6144:h//I2y3VKIo8oJwO9qJCVTaTb7XqjfTundGKNPZ2QSKkdKwYklIPCBzrlFLqktmD:dvdsolqcQb7wfTuAuPMplp3IXj
Score6/10-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
Conferma di pagamento 003949900.bat
-
Size
480KB
-
MD5
1b27df99b7846825039b462c81398ced
-
SHA1
2648379db4f545e31f7dcde499177d7fe82e3c2c
-
SHA256
02c8ba535f477255df334a19882cc219f079ce64ca1d5e0deec810fd06e48981
-
SHA512
6487c40cae227a85fe043efa3aa90bad7780effdffe56d45d38287f02d67d102f932feb9ce25f8e883bad13e36f2a3c9bbb5738b0cb02b9861bf85fa08c099a4
-
SSDEEP
6144:u//I2y3VKIo8oJwO9qJCVTaTb7XqjfTundGKNPZ2QSKkdKwYklIPCBzrlFLqktmu:0vdsolqcQb7wfTuAuPMplp3IXjq
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
$PLUGINSDIR/System.dll
-
Size
11KB
-
MD5
ee260c45e97b62a5e42f17460d406068
-
SHA1
df35f6300a03c4d3d3bd69752574426296b78695
-
SHA256
e94a1f7bcd7e0d532b660d0af468eb3321536c3efdca265e61f9ec174b1aef27
-
SHA512
a98f350d17c9057f33e5847462a87d59cbf2aaeda7f6299b0d49bb455e484ce4660c12d2eb8c4a0d21df523e729222bbd6c820bf25b081bc7478152515b414b3
-
SSDEEP
192:eF24sihno00Wfl97nH6T2enXwWobpWBTU4VtHT7dmN35Ol9Sl:h8QIl975eXqlWBrz7YLOl9
Score3/10 -