Overview

overview

10

Static

static

5

66ecdd9e82...96.exe

windows7-x64

10

66ecdd9e82...96.exe

windows10-2004-x64

10

88b889a147...73.exe

windows7-x64

10

88b889a147...73.exe

windows10-2004-x64

10

a0527f548f...67.exe

windows7-x64

10

a0527f548f...67.exe

windows10-2004-x64

10

e2ea3676e2...d2.exe

windows7-x64

10

e2ea3676e2...d2.exe

windows10-2004-x64

10

f419ddfc11...08.exe

windows7-x64

10

f419ddfc11...08.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a86c3fc17ce2011b277a937078aa1cba9d8c52e8869a15535d6cfd3db196755e

  • Size

    2.9MB

  • Sample

    240619-bdtnrsvekj

  • MD5

    2e16335ad74d4880c54dd5f592f08110

  • SHA1

    a6e914ac674ff97a82666b5bcb681f80ca9e60d3

  • SHA256

    a86c3fc17ce2011b277a937078aa1cba9d8c52e8869a15535d6cfd3db196755e

  • SHA512

    954d5425b0fab7da0500a8b9061be9b433d62ae34e500ac9e45bc17c368bf18f98c73163201c99dabee58d6ece70f28d5f469c9ba2040583dc17f35d3eaa9afe

  • SSDEEP

    49152:hCVZxqXK3j0Ha1G4fGZRAj+0M2FyjLYQF2RlYqupJa9uXyU8fEFPoWw9vlRRBlzR:hC7xqXKT0wtuZ10/eLYQWuCU8fEVsp3P

Score
10/10
agentteslagcleanerredlinesectopratcheatexecutioninfostealerkeyloggerloaderpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Family

redline

Botnet

cheat

C2

45.137.22.68:55615

Extracted

Family

gcleaner

C2

185.172.128.90

5.42.64.56

185.172.128.69

Targets

    • Target

      66ecdd9e82e6b829dc44e8eb897064793cc40509207d0e6e2db611ff0b2f3696.exe

    • Size

      928KB

    • MD5

      d0497f3106425ac56562fdb456972cef

    • SHA1

      4438fbc600c8d013d25a8b45b757329334dfee3a

    • SHA256

      66ecdd9e82e6b829dc44e8eb897064793cc40509207d0e6e2db611ff0b2f3696

    • SHA512

      235c87ba24128277c1478de1df8d6bfda78622ed8721ae91dde2a619a1d4247b9ce09c0eba30a3a5b003b89208bedafce1f7c6c184b703ac88a0c9693628b234

    • SSDEEP

      24576:515yC5XYU5DN41CJkKJmI99Qz9rkGLIY7Y1q:573JPk1CVJh99QzxkQ

    Score
    10/10
    agentteslaexecutionkeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      88b889a1477c81510c62a46c9eb1d77d386c59dceb0523e8b5734b6dde252573.exe

    • Size

      809KB

    • MD5

      15f948da0e0786ee883bc9714ee6b47a

    • SHA1

      13d0747a12ce2783ac3a1d225d760cd5b2ed1aa1

    • SHA256

      88b889a1477c81510c62a46c9eb1d77d386c59dceb0523e8b5734b6dde252573

    • SHA512

      006913022a08797087c1a47e89f1fba3beef5eb7f925631d507e841f361b56fe7dbefa1a1a60c0f5542742ad71c0b142ab5f4d280bfd9bc50bf5f7018c6bb31e

    • SSDEEP

      24576:aJr8tE+sQJRRGM3sU+7sdCGNcArcotgiko7ehxaFpmx9:aJ4LP1MsdV5c+g5OiaFM/

    Score
    10/10
    redlinesectopratcheatexecutioninfostealerrattrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

    • Target

      a0527f548f6ed392f4d578d32ce5d75677492875b13a60a068e55f8ad6105267.exe

    • Size

      371KB

    • MD5

      8a531ac1850e79081759de09b70251db

    • SHA1

      1cc10eb949d449c7152ca0e3409d94b8d61db5d4

    • SHA256

      a0527f548f6ed392f4d578d32ce5d75677492875b13a60a068e55f8ad6105267

    • SHA512

      ecbc061a19c0c839f49ae790de0b38b34b582b34ce16095bf2ee3287745edc5823dbfc29fb84229bdc81c7b5c157c7f2eb80b01a236b8ac3e38d8e8493995efc

    • SSDEEP

      6144:qFbhWI22curenuAAH84PPt2cW5Gz4KvNGbtqSvTH:q/2orjbPPtr/YHH

    Score
    10/10
    gcleanerloader

    • GCleaner

      GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

      loadergcleaner

    • Downloads MZ/PE file

    • Deletes itself

    • Loads dropped DLL

    behavioral5behavioral6

    • Target

      e2ea3676e2e980745eda749615e7dc0be91e60f7fb98bb553ba0ad32a36504d2.exe

    • Size

      1.0MB

    • MD5

      63d356772caf13231ce183356f9b0841

    • SHA1

      70cafe73c578de49fdbe1edb1799744d700c1650

    • SHA256

      e2ea3676e2e980745eda749615e7dc0be91e60f7fb98bb553ba0ad32a36504d2

    • SHA512

      4b23637170a53ccf2e2bbbfc1a85672b9d283327213bead0a43914faae6ed6fa33fb6cadcd88beaaccf5b5f65cad677cace40ceb228ae5ed540ed7814314930f

    • SSDEEP

      24576:CAHnh+eWsN3skA4RV1Hom2KXMmHac8NLwW070Z5:Fh+ZkldoPK8Yac8NU77i

    Score
    10/10
    agentteslakeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral7behavioral8

    • Target

      f419ddfc11a334a5ab4f9a289db5783877d4108107ed912e2e2b3f57ae9be808.exe

    • Size

      720KB

    • MD5

      32e23d2a6363a4ae1ef3eccf6bbc233e

    • SHA1

      f2ed0bd4da811d4c29ff25b4ac799be7ceefc694

    • SHA256

      f419ddfc11a334a5ab4f9a289db5783877d4108107ed912e2e2b3f57ae9be808

    • SHA512

      71a247f534d290657d564983b0ec9f29d8f40af275a67069170a90d98aba6a439b0a218c3c9ee0a42fcb36c5d8d77e87ee3335c3c8b4fc5249a749e6d64661ae

    • SSDEEP

      12288:H262iNPyCK2xrOoN6VqVlwfhOGRoSQj92gMjSMh0B11f5nSw3QEBg5xC:L15yC5NbnogSHh0tf5S6ms

    Score
    10/10
    agentteslaexecutionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral10behavioral9

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

3
T1059

PowerShell

3
T1059.001

Scheduled Task/Job

3
T1053

Scheduled Task

3
T1053.005

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Scheduled Task/Job

3
T1053

Scheduled Task

3
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Scheduled Task/Job

3
T1053

Scheduled Task

3
T1053.005

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

7
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks