Overview

overview

10

Static

static

10

0477d366c3...34.exe

windows7-x64

10

0477d366c3...34.exe

windows10-2004-x64

10

0cdc65a0b7...ae.exe

windows7-x64

10

0cdc65a0b7...ae.exe

windows10-2004-x64

10

0f59ce5495...42.exe

windows7-x64

10

0f59ce5495...42.exe

windows10-2004-x64

10

16a7955213...f9.elf

debian-12-mipsel

1d6d36ec58...e2.vbs

windows7-x64

8

1d6d36ec58...e2.vbs

windows10-2004-x64

8

36a837a789...ed.elf

debian-12-mipsel

4c677969cd...44.exe

windows7-x64

10

4c677969cd...44.exe

windows10-2004-x64

10

57430074be...49.exe

windows7-x64

10

57430074be...49.exe

windows10-2004-x64

10

68a9e97be5...99.exe

windows7-x64

7

68a9e97be5...99.exe

windows10-2004-x64

10

7a976ca005...ae.exe

windows7-x64

10

7a976ca005...ae.exe

windows10-2004-x64

10

SKGHM_PE_7...ad.vbs

windows7-x64

8

SKGHM_PE_7...ad.vbs

windows10-2004-x64

8

CV Elena A...ia.exe

windows7-x64

10

CV Elena A...ia.exe

windows10-2004-x64

10

TEKLİF TA...xs.exe

windows7-x64

10

TEKLİF TA...xs.exe

windows10-2004-x64

10

fa396ba6c1...6c.exe

windows7-x64

10

fa396ba6c1...6c.exe

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c4990aebded04b1f4a9c34072e736771183d8dcd091adf27ede3cb8c04ba520c

  • Size

    5.7MB

  • Sample

    240620-cwmhvaxhqq

  • MD5

    15317a0db98ac9c90ec9b3b9dd22dc3f

  • SHA1

    6162baa5bed419865a92779617522814451b7306

  • SHA256

    c4990aebded04b1f4a9c34072e736771183d8dcd091adf27ede3cb8c04ba520c

  • SHA512

    0adee4da5a7c73d18b4dddf403c53447e38260e651714c5a3cd2cb9cb6ca6111e050a7bf6d8885ecae384c01ed332ee946f99c020b216039d972c6ea7cff9949

  • SSDEEP

    98304:F2tnm4+igyfxCuqTr0XQZrirlfIls1M/AXJAp9nsYInfyDC4/P6adbFWl/U:8U4VbJw/gorirlIXkJ898fJ+6ads+

Score
10/10
agentteslamirairiseprobotnetevasionkeyloggerpersistencespywarestealertrojanupx

Malware Config

Extracted

Family

agenttesla

Credentials
C2

https://api.telegram.org/bot6398508790:AAFROO4FvHYek5_hchyogAsV7yTvxfINRRg/

Extracted

Family

mirai

Botnet

BOTNET

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.ppg-pa.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    DKKfy2001$

Extracted

Family

risepro

C2

77.91.77.122:50500

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.softtricksmedia.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    soft#!7som7

Targets

    • Target

      0477d366c3dce1723cf124fc263a85654b4454909dffcc0d325020f1187e4f34.exe

    • Size

      602KB

    • MD5

      b4b045a39da0b2d38940085d78d1ab14

    • SHA1

      2678aa772b284a12488e7abdb5c9bab76a0bd9bf

    • SHA256

      0477d366c3dce1723cf124fc263a85654b4454909dffcc0d325020f1187e4f34

    • SHA512

      e2a13b0b7bfaf3c3a02672425de6a32d87e0a0cdb7c6439ba91bac53429d420ce602ac3654216add8ccf416ba58688388667233c2144941c07cfc318e8c35184

    • SSDEEP

      12288:78ALbFN7nwPgrUd+N2qUouxL/8YpOrbW1wEW9XGGc5S0xquGjk+kJhDd:LLwIrw+oq9uxT8sOrbW1wEQXOS0RXd

    Score
    10/10
    agentteslakeyloggerspywarestealertrojan
    behavioral1behavioral2

    • Target

      0cdc65a0b7fa4c5628fa770639f41f2ccc8660bc1df91817f7d8afe59f2ef2ae.exe

    • Size

      262KB

    • MD5

      703d59b74a008335c79d8845f9529aee

    • SHA1

      d5a2da3813a5e377b271e92a6b32caff36833e24

    • SHA256

      0cdc65a0b7fa4c5628fa770639f41f2ccc8660bc1df91817f7d8afe59f2ef2ae

    • SHA512

      77cb4b819d5177ee16fb5511280c5edcfb24817cea536df3a15bf078cbb25b3761e9816c6a4dafe2a6c0c40c6f933e93fa2919adc00399ddf6be66f133b3dde3

    • SSDEEP

      6144:6DKW1Lgbdl0TBBvjc/2tfjgGODiQPHwT3WxHDwuO:8h1Lk70TnvjcuFEGODPvwiGuO

    Score
    10/10
    agentteslakeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral3behavioral4

    • Target

      0f59ce549544ddeaf45168bce4908445413c92c48b7baaefd317e36658796642.exe

    • Size

      237KB

    • MD5

      7847646a82f2e8118c085c790b12f095

    • SHA1

      091b4d9b8cc72b6cb6e91b6f264ca5ffc619539f

    • SHA256

      0f59ce549544ddeaf45168bce4908445413c92c48b7baaefd317e36658796642

    • SHA512

      d2466ab1149a5fce64fe09127d271132f1b64fb7eb460946878307e421324129174a8f8b16c9d002cffbc63aa8aca55f37aa4cf5e9363c4f1108d500df94fb67

    • SSDEEP

      3072:DglEeWumuQ3UQSjH5J13lFbJgrG/jbo5ihpW0tfE:DgeeWumuQ3JSjH5nhBbZDW0f

    Score
    10/10
    agentteslakeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer
    behavioral5behavioral6

    • Target

      16a7955213e4a78c58b8babe250d09e36e5567e18c7396bb7326af907e604ef9.elf

    • Size

      138KB

    • MD5

      98e31889837861036d55f5ccc81267d1

    • SHA1

      56903c1ff5088f858187078dc260320b8692bc5c

    • SHA256

      16a7955213e4a78c58b8babe250d09e36e5567e18c7396bb7326af907e604ef9

    • SHA512

      8776ffad660b5a931e26bae9db9b813526c284cf64cbac432c41879f89381e60734a059bb04639118c593ebfd892621d978f46e6380b738ef3207bcdd953c05f

    • SSDEEP

      3072:eoDf4yfSJMZXf9tB3VggBc8VYmZ8ezF2wcmSi3tH+y:h7fFtjlxRz/cm33V+y

    Score
    1/10
    behavioral7

    • Target

      1d6d36ec589cbecea839e3b4a5156a35f48436847043f2e1f307f6579e7893e2.vbs

    • Size

      154KB

    • MD5

      8993abe6fdbed5a58e5f8806cb1a12d8

    • SHA1

      6f52e232be6a55b0411d2d2bf1e03b01b7388921

    • SHA256

      1d6d36ec589cbecea839e3b4a5156a35f48436847043f2e1f307f6579e7893e2

    • SHA512

      9de0b6554063778d0fec454f0fcb72acc5a1b652aff0f4513254097b6cfdce80c496e330ba93c2bacbabc5437fa508a124eb5e099c0e92dca2d7b70975090bd3

    • SSDEEP

      3072:Gvn9Dm5IXdH7eAlsSyP/ioJbae+nzu6J5RcuXrMLyVZH4lY0Gx2gDwDjNMrt:Gvn9Dm5IXdH7ecsSyP/io9ae+nzu6J5j

    Score
    8/10

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral8behavioral9

    • Target

      36a837a789f23110df93012b7da12c54857e10f342467d9ba2c0d0e2b2471fed.elf

    • Size

      70KB

    • MD5

      7762aace160a4a060b9fb26babaefc14

    • SHA1

      e5b5303fe5a3e977facc1e2b8db639883b01dda1

    • SHA256

      36a837a789f23110df93012b7da12c54857e10f342467d9ba2c0d0e2b2471fed

    • SHA512

      e39a7efd942831807948913938471e01bc12ffa3475801845746243c626deb482a8f4b1ac09d1a0839e200d140017304082e1ce47b882b9fcd7f96093a3532a2

    • SSDEEP

      1536:5NcpHox7nXG4GTwplIaCDyV6jd7AI3kF/nznEjLr2WVNIsgKOf8d:5N407Xj3PIaCDMo+I3gnzEjLrJlOf8d

    Score
    1/10
    behavioral10

    • Target

      4c677969cde4b12fede4247e99653415ccf938d98d4958d99af13193cefab844.exe

    • Size

      635KB

    • MD5

      af4c4394fd76d48c76265fa7393dbaf1

    • SHA1

      d08fe29a6362e1416ea464766beb2e5120a8d347

    • SHA256

      4c677969cde4b12fede4247e99653415ccf938d98d4958d99af13193cefab844

    • SHA512

      fa0a58d48584e3547c643c5df0f2783ba73d584306630feb4a9abd32f583df48d25339ed964393e12c52717a33168c9e65ea6b58c6e6525d9ed216952a895738

    • SSDEEP

      12288:Ia9PJCwxBS/ktL8picnoYgwkSpX3MBdkFIyFLkEseB7U5UjJJ++BzqyJM:ICPJCwi/+L84tSpHMBqGydkEseB4eJ+I

    Score
    10/10
    agentteslakeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral11behavioral12

    • Target

      57430074bee1e7a668e0ece81119fcc8595a70c8a0e6be3d98bf1cc455f4fd49.exe

    • Size

      265KB

    • MD5

      0da587694f34431b18b09ec33c15d065

    • SHA1

      0e46586eda6c403c54674963522c7f9ce0a5fe73

    • SHA256

      57430074bee1e7a668e0ece81119fcc8595a70c8a0e6be3d98bf1cc455f4fd49

    • SHA512

      9e1c62d6d268efd2473dac0af0405617b24239efcc9a3d7640935fcb6549de7e1f3664276ed7a28465a3be61d5fe6934de06f3938707ef3403a10a26cf74b136

    • SSDEEP

      6144:5DKW1Lgbdl0TBBvjc/fNVOAboGApTQMeoBq7ST6:ph1Lk70TnvjcXNsbGAppeoq+u

    Score
    10/10
    agentteslakeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral13behavioral14

    • Target

      68a9e97be5bec9fba6108897ebef0a1f00dec90cf894071dc80ba0fed62a2999.exe

    • Size

      2.6MB

    • MD5

      c8432b773d48e5e0a9f2d1ecb7c557f8

    • SHA1

      ffd30a12849776a23351e9e768fc7b635553c271

    • SHA256

      68a9e97be5bec9fba6108897ebef0a1f00dec90cf894071dc80ba0fed62a2999

    • SHA512

      7d2e4e382f9591f0ba5098d6a265f6b70b5a6c360f6223ac0309edf7bea7c13c4b951888244ddafb512127b2c192075aeaf77a93ded3a1336e822abcfd83ebc8

    • SSDEEP

      49152:KDjlabwz9PDjlabwz96f+wrja6tTPZYoUKm5OeNRwXIM2BfM3:6qwhqws+ia6tzZ1Zm5OmRwX0B+

    Score
    10/10
    riseprostealer

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral15behavioral16

    • Target

      7a976ca005082ab7acea1a46330935bfdfeedf70f37f1707122b7335fa7201ae.exe

    • Size

      245KB

    • MD5

      a3164b25a785cd6ebee79f42912c839b

    • SHA1

      22bb441e4bbe64fd23c49a87a2e17133674a523a

    • SHA256

      7a976ca005082ab7acea1a46330935bfdfeedf70f37f1707122b7335fa7201ae

    • SHA512

      c450caeab4f87a32e8c277cbffff38556b3cc40b77b59e06c783541de3203b5b94356eb770e1c182c1a984b0ed31183824c2678e9bb6ce1290816b45cb8a2e2e

    • SSDEEP

      3072:bloHvUQkoUEmxeoZUgOo8MPKEuH/tCYq05a4jJCCKE:bmvUQkoUEmxpZUgShCYqfsJ3

    Score
    10/10
    agentteslakeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral17behavioral18

    • Target

      SKGHM_PE_757583588358839538539599593BeoersKnucklehead.vbs

    • Size

      154KB

    • MD5

      8993abe6fdbed5a58e5f8806cb1a12d8

    • SHA1

      6f52e232be6a55b0411d2d2bf1e03b01b7388921

    • SHA256

      1d6d36ec589cbecea839e3b4a5156a35f48436847043f2e1f307f6579e7893e2

    • SHA512

      9de0b6554063778d0fec454f0fcb72acc5a1b652aff0f4513254097b6cfdce80c496e330ba93c2bacbabc5437fa508a124eb5e099c0e92dca2d7b70975090bd3

    • SSDEEP

      3072:Gvn9Dm5IXdH7eAlsSyP/ioJbae+nzu6J5RcuXrMLyVZH4lY0Gx2gDwDjNMrt:Gvn9Dm5IXdH7ecsSyP/io9ae+nzu6J5j

    Score
    8/10

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral19behavioral20

    • Target

      CV Elena Alba Garcia.exe

    • Size

      635KB

    • MD5

      af4c4394fd76d48c76265fa7393dbaf1

    • SHA1

      d08fe29a6362e1416ea464766beb2e5120a8d347

    • SHA256

      4c677969cde4b12fede4247e99653415ccf938d98d4958d99af13193cefab844

    • SHA512

      fa0a58d48584e3547c643c5df0f2783ba73d584306630feb4a9abd32f583df48d25339ed964393e12c52717a33168c9e65ea6b58c6e6525d9ed216952a895738

    • SSDEEP

      12288:Ia9PJCwxBS/ktL8picnoYgwkSpX3MBdkFIyFLkEseB7U5UjJJ++BzqyJM:ICPJCwi/+L84tSpHMBqGydkEseB4eJ+I

    Score
    10/10
    agentteslakeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral21behavioral22

    • Target

      TEKLİF TALEP VE FİYAT TEKLİFİ_xlxs.exe

    • Size

      602KB

    • MD5

      b4b045a39da0b2d38940085d78d1ab14

    • SHA1

      2678aa772b284a12488e7abdb5c9bab76a0bd9bf

    • SHA256

      0477d366c3dce1723cf124fc263a85654b4454909dffcc0d325020f1187e4f34

    • SHA512

      e2a13b0b7bfaf3c3a02672425de6a32d87e0a0cdb7c6439ba91bac53429d420ce602ac3654216add8ccf416ba58688388667233c2144941c07cfc318e8c35184

    • SSDEEP

      12288:78ALbFN7nwPgrUd+N2qUouxL/8YpOrbW1wEW9XGGc5S0xquGjk+kJhDd:LLwIrw+oq9uxT8sOrbW1wEQXOS0RXd

    Score
    10/10
    agentteslakeyloggerspywarestealertrojan
    behavioral23behavioral24

    • Target

      fa396ba6c1ae4e9c786cff1a78012d86bd9a896f4999d4ba3b90864021fa806c.exe

    • Size

      871KB

    • MD5

      2abc28bccfd4512e91ac2b8f3537c307

    • SHA1

      c5111761aeec5523798ebe82438a5064f58b9459

    • SHA256

      fa396ba6c1ae4e9c786cff1a78012d86bd9a896f4999d4ba3b90864021fa806c

    • SHA512

      07d92494e91c9502e33b76c2593ede82981ca6815bdfb1793b07331a8f86628fc5e56b1184eb1f80d78b74843289f5e042d200d75a298d084d0f2a035a7cfc22

    • SSDEEP

      12288:i+19eRK6BdJ7Tv6u+ixobvDp6Aqxizx+6eH0Mmh+mbNGTE3/3PrfyqUQejzT6H0G:iC6B1+ixmpbqx

    Score
    10/10
    evasiontrojan
    behavioral25behavioral26

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Modify Registry

4
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Unsecured Credentials

4
T1552

Credentials In Files

3
T1552.001

Credentials in Registry

1
T1552.002

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Virtualization/Sandbox Evasion

1
T1497

Lateral Movement

Collection

Data from Local System

4
T1005

Command and Control

Exfiltration

Impact

Tasks

static1

botnetupxagentteslamirai
Score
10/10

behavioral1

agentteslakeyloggerspywarestealertrojan
Score
10/10

behavioral2

agentteslakeyloggerspywarestealertrojan
Score
10/10

behavioral3

agentteslakeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral4

agentteslakeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral5

agentteslakeyloggerspywarestealertrojan
Score
10/10

behavioral6

agentteslakeyloggerspywarestealertrojan
Score
10/10

behavioral7

Score
1/10

behavioral8

Score
8/10

behavioral9

Score
8/10

behavioral10

Score
1/10

behavioral11

agentteslakeyloggerspywarestealertrojan
Score
10/10

behavioral12

agentteslakeyloggerspywarestealertrojan
Score
10/10

behavioral13

agentteslakeyloggerspywarestealertrojan
Score
10/10

behavioral14

agentteslakeyloggerspywarestealertrojan
Score
10/10

behavioral15

Score
7/10

behavioral16

riseprostealer
Score
10/10

behavioral17

agentteslakeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral18

agentteslakeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral19

Score
8/10

behavioral20

Score
8/10

behavioral21

agentteslakeyloggerspywarestealertrojan
Score
10/10

behavioral22

agentteslakeyloggerspywarestealertrojan
Score
10/10

behavioral23

agentteslakeyloggerspywarestealertrojan
Score
10/10

behavioral24

agentteslakeyloggerspywarestealertrojan
Score
10/10

behavioral25

evasiontrojan
Score
10/10

behavioral26

Score
1/10