Overview

overview

10

Static

static

10

224cb722a3...1a.exe

windows7-x64

1

224cb722a3...1a.exe

windows10-2004-x64

1

purchase o...01.exe

windows7-x64

10

purchase o...01.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    960db67081f8b25865698988f9758d0c80a7601c8326902eb52d1fe8ae6b9f0e

  • Size

    1.0MB

  • Sample

    240720-bfm9rszakn

  • MD5

    9decd029a7800230daaae693cd48c6af

  • SHA1

    6b5133eed57881bbfaef4f18dece5299b8879d5e

  • SHA256

    960db67081f8b25865698988f9758d0c80a7601c8326902eb52d1fe8ae6b9f0e

  • SHA512

    f229700238de5b0b4c7da31d60f4bdd5ce2b4d8a60ca3f5fb15ca6f7f46f9daddd2218b9660ee30e4a1cf1126194dddd2996831e0afacfa3c9cbd71c32f733dd

  • SSDEEP

    24576:CcatvGcxvi4KVNYIejOQJBZc80oOv0MapS3awJLGgvZV:ctrxvi44g3x0ouapSr5zRV

Score
10/10
agentteslamysticredlinebigpaydiscoveryexecutioninfostealerkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Family

redline

Botnet

bigpay

C2

204.10.160.140:7001

Targets

    • Target

      224cb722a3b940c564dd0f4e6347776a6ebd2ce4d1ce898cc16769a8ec079b1a.exe

    • Size

      140KB

    • MD5

      1baba2d74f12915a3b89ecb883315008

    • SHA1

      c45b81ab4753eafe6d5f0e0ce9623c79e888a8df

    • SHA256

      224cb722a3b940c564dd0f4e6347776a6ebd2ce4d1ce898cc16769a8ec079b1a

    • SHA512

      7a4597bb7c8c058c0171cde6c341e74fab5754b1b0054117b3cdd016837cc37ea4609de36638eadf1bc52bbf64fdce2cde6302898bff4546729721e3ce311277

    • SSDEEP

      3072:B2rwPGZSiq413j9DE0CA6DWkJZz8qjOYRwRcTvRB8Z4PHjnCp:c5ZSsQ0RAXkYRLnCp

    Score
    1/10
    behavioral1behavioral2

    • Target

      purchase order - PO-011024-201.exe

    • Size

      975KB

    • MD5

      fb5123fc6707fe4e06c962b5aa7d8f1d

    • SHA1

      a06b21030a4dcd1b9e987c13742be49540c5ee46

    • SHA256

      7306a090c8afd7557dc6a32f072937107058f5d14b5d416730b189647980b757

    • SHA512

      a7261913938b0acf68b74a7ab54ada022f27e33ecdd5c07d6cdb7d939ab2ee0dbfafa6548fc022f2e08e796200df7fbce49a913bad1182d1772cc5d3a3235c5a

    • SSDEEP

      24576:+2BL9SiKt1yowjwQ9Bj+20sOZgSGnS3ewqm:+2BL9SiA81N0seGnS3q

    Score
    10/10
    agentteslaredlinebigpaydiscoveryexecutioninfostealerkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks