General

  • Target

    48d134a16273121969501304718b77ec2325bafb9951a2ae501badc8cf738be4.zip

  • Size

    780KB

  • Sample

    240612-brgalaxeqk

  • MD5

    a22cfbc7defbbc33cf21c5fe9a14602e

  • SHA1

    aa448eea3a1ca2ee75f5f5659b7a8e6f5f29adb9

  • SHA256

    48d134a16273121969501304718b77ec2325bafb9951a2ae501badc8cf738be4

  • SHA512

    ab3d6e85232d6be2ab160b7f77ca8364694fb4089e8e0cb25b62dad5c748cc8034980db2bb90481526c2a7c403dc1a7d8de6902503a72741c5bb2de6a640c06c

  • SSDEEP

    24576:AWYJXRWrmh4xkIXbEqGIjoBr7mCzfDi3ys5K91J8:AWYJXqXYIjoBvmqDYv5aJ8

Malware Config

Targets

    • Target

      SOA.exe

    • Size

      1.2MB

    • MD5

      a6e9d4fa94edb21aa16b167dfec4f624

    • SHA1

      1b9f0d78dd27baa672c3d904b8bb0e8e9bdf7117

    • SHA256

      f0a931ba453d846bac36ab75d1e79847170cd8f562ccb117e92133434d301abf

    • SHA512

      1f64657ca18349d7977797b47414969494ab914387d1175b1cfeae4cda4f066111059eec2aa66fcf8333398934e764c740ee2d71453ada91fcd71c6a8c66bc64

    • SSDEEP

      24576:/AHnh+eWsN3skA4RV1Hom2KXMmHaWe2HXtKxksRk9bEC5:ih+ZkldoPK8YaWegt+RR8d

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks