Overview
overview
10Static
static
566ecdd9e82...96.exe
windows7-x64
1066ecdd9e82...96.exe
windows10-2004-x64
1088b889a147...73.exe
windows7-x64
1088b889a147...73.exe
windows10-2004-x64
10a0527f548f...67.exe
windows7-x64
10a0527f548f...67.exe
windows10-2004-x64
10e2ea3676e2...d2.exe
windows7-x64
10e2ea3676e2...d2.exe
windows10-2004-x64
10f419ddfc11...08.exe
windows7-x64
10f419ddfc11...08.exe
windows10-2004-x64
10General
-
Target
a86c3fc17ce2011b277a937078aa1cba9d8c52e8869a15535d6cfd3db196755e
-
Size
2.9MB
-
Sample
240619-bdtnrsvekj
-
MD5
2e16335ad74d4880c54dd5f592f08110
-
SHA1
a6e914ac674ff97a82666b5bcb681f80ca9e60d3
-
SHA256
a86c3fc17ce2011b277a937078aa1cba9d8c52e8869a15535d6cfd3db196755e
-
SHA512
954d5425b0fab7da0500a8b9061be9b433d62ae34e500ac9e45bc17c368bf18f98c73163201c99dabee58d6ece70f28d5f469c9ba2040583dc17f35d3eaa9afe
-
SSDEEP
49152:hCVZxqXK3j0Ha1G4fGZRAj+0M2FyjLYQF2RlYqupJa9uXyU8fEFPoWw9vlRRBlzR:hC7xqXKT0wtuZ10/eLYQWuCU8fEVsp3P
Static task
static1
Behavioral task
behavioral1
Sample
66ecdd9e82e6b829dc44e8eb897064793cc40509207d0e6e2db611ff0b2f3696.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
66ecdd9e82e6b829dc44e8eb897064793cc40509207d0e6e2db611ff0b2f3696.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
88b889a1477c81510c62a46c9eb1d77d386c59dceb0523e8b5734b6dde252573.exe
Resource
win7-20240220-en
Behavioral task
behavioral4
Sample
88b889a1477c81510c62a46c9eb1d77d386c59dceb0523e8b5734b6dde252573.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral5
Sample
a0527f548f6ed392f4d578d32ce5d75677492875b13a60a068e55f8ad6105267.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
a0527f548f6ed392f4d578d32ce5d75677492875b13a60a068e55f8ad6105267.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
e2ea3676e2e980745eda749615e7dc0be91e60f7fb98bb553ba0ad32a36504d2.exe
Resource
win7-20240508-en
Behavioral task
behavioral8
Sample
e2ea3676e2e980745eda749615e7dc0be91e60f7fb98bb553ba0ad32a36504d2.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
f419ddfc11a334a5ab4f9a289db5783877d4108107ed912e2e2b3f57ae9be808.exe
Resource
win7-20240611-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.clslk.com - Port:
587 - Username:
[email protected] - Password:
NUZRATHinam1978 - Email To:
[email protected]
Extracted
redline
cheat
45.137.22.68:55615
Extracted
gcleaner
185.172.128.90
5.42.64.56
185.172.128.69
Targets
-
-
Target
66ecdd9e82e6b829dc44e8eb897064793cc40509207d0e6e2db611ff0b2f3696.exe
-
Size
928KB
-
MD5
d0497f3106425ac56562fdb456972cef
-
SHA1
4438fbc600c8d013d25a8b45b757329334dfee3a
-
SHA256
66ecdd9e82e6b829dc44e8eb897064793cc40509207d0e6e2db611ff0b2f3696
-
SHA512
235c87ba24128277c1478de1df8d6bfda78622ed8721ae91dde2a619a1d4247b9ce09c0eba30a3a5b003b89208bedafce1f7c6c184b703ac88a0c9693628b234
-
SSDEEP
24576:515yC5XYU5DN41CJkKJmI99Qz9rkGLIY7Y1q:573JPk1CVJh99QzxkQ
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
88b889a1477c81510c62a46c9eb1d77d386c59dceb0523e8b5734b6dde252573.exe
-
Size
809KB
-
MD5
15f948da0e0786ee883bc9714ee6b47a
-
SHA1
13d0747a12ce2783ac3a1d225d760cd5b2ed1aa1
-
SHA256
88b889a1477c81510c62a46c9eb1d77d386c59dceb0523e8b5734b6dde252573
-
SHA512
006913022a08797087c1a47e89f1fba3beef5eb7f925631d507e841f361b56fe7dbefa1a1a60c0f5542742ad71c0b142ab5f4d280bfd9bc50bf5f7018c6bb31e
-
SSDEEP
24576:aJr8tE+sQJRRGM3sU+7sdCGNcArcotgiko7ehxaFpmx9:aJ4LP1MsdV5c+g5OiaFM/
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
SectopRAT payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-
-
-
Target
a0527f548f6ed392f4d578d32ce5d75677492875b13a60a068e55f8ad6105267.exe
-
Size
371KB
-
MD5
8a531ac1850e79081759de09b70251db
-
SHA1
1cc10eb949d449c7152ca0e3409d94b8d61db5d4
-
SHA256
a0527f548f6ed392f4d578d32ce5d75677492875b13a60a068e55f8ad6105267
-
SHA512
ecbc061a19c0c839f49ae790de0b38b34b582b34ce16095bf2ee3287745edc5823dbfc29fb84229bdc81c7b5c157c7f2eb80b01a236b8ac3e38d8e8493995efc
-
SSDEEP
6144:qFbhWI22curenuAAH84PPt2cW5Gz4KvNGbtqSvTH:q/2orjbPPtr/YHH
-
Downloads MZ/PE file
-
Deletes itself
-
Loads dropped DLL
-
-
-
Target
e2ea3676e2e980745eda749615e7dc0be91e60f7fb98bb553ba0ad32a36504d2.exe
-
Size
1.0MB
-
MD5
63d356772caf13231ce183356f9b0841
-
SHA1
70cafe73c578de49fdbe1edb1799744d700c1650
-
SHA256
e2ea3676e2e980745eda749615e7dc0be91e60f7fb98bb553ba0ad32a36504d2
-
SHA512
4b23637170a53ccf2e2bbbfc1a85672b9d283327213bead0a43914faae6ed6fa33fb6cadcd88beaaccf5b5f65cad677cace40ceb228ae5ed540ed7814314930f
-
SSDEEP
24576:CAHnh+eWsN3skA4RV1Hom2KXMmHac8NLwW070Z5:Fh+ZkldoPK8Yac8NU77i
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
f419ddfc11a334a5ab4f9a289db5783877d4108107ed912e2e2b3f57ae9be808.exe
-
Size
720KB
-
MD5
32e23d2a6363a4ae1ef3eccf6bbc233e
-
SHA1
f2ed0bd4da811d4c29ff25b4ac799be7ceefc694
-
SHA256
f419ddfc11a334a5ab4f9a289db5783877d4108107ed912e2e2b3f57ae9be808
-
SHA512
71a247f534d290657d564983b0ec9f29d8f40af275a67069170a90d98aba6a439b0a218c3c9ee0a42fcb36c5d8d77e87ee3335c3c8b4fc5249a749e6d64661ae
-
SSDEEP
12288:H262iNPyCK2xrOoN6VqVlwfhOGRoSQj92gMjSMh0B11f5nSw3QEBg5xC:L15yC5NbnogSHh0tf5S6ms
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
3PowerShell
3Scheduled Task/Job
3Scheduled Task
3Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
3Scheduled Task
3