Overview
overview
10Static
static
3RFQ-SW M-0...RE.exe
windows7-x64
10RFQ-SW M-0...RE.exe
windows10-2004-x64
10extnet.dll
windows7-x64
1extnet.dll
windows10-2004-x64
1jli.dll
windows7-x64
10jli.dll
windows10-2004-x64
10msvcpcore.dll
windows7-x64
1msvcpcore.dll
windows10-2004-x64
1prefs.dll
windows7-x64
1prefs.dll
windows10-2004-x64
1vcruntime140.dll
windows7-x64
1vcruntime140.dll
windows10-2004-x64
1vcruntime140_1.dll
windows7-x64
1vcruntime140_1.dll
windows10-2004-x64
1winsxspv.dll
windows7-x64
1winsxspv.dll
windows10-2004-x64
1General
-
Target
f51f1f279feb7964a187ecdcd07c6f741d77cbcbb909a28aed96f52fc2d1b9e1.zip
-
Size
1.2MB
-
Sample
240727-clkaqstbqg
-
MD5
4323b9dc93889a0f7c88f10a31149de7
-
SHA1
31729df81f3cc3412b3ce38542cdb6816e2bf146
-
SHA256
f51f1f279feb7964a187ecdcd07c6f741d77cbcbb909a28aed96f52fc2d1b9e1
-
SHA512
a1603a8279b14c39dd3b4fcc06cd712e04cabc4a715d252b755e086b1f3d2e9683c3b62e60d9df9e350424df0408f1e6fa1803bc36a2c8d8bb4276682a1a1c33
-
SSDEEP
24576:wUShb0Ug8XZdz5hrwoXo96VoroDx3Z1hqWbrc337RLqmOunjWq9js/rIl:bcb0KVRwm86VorKx3Z1kWbY3LvOunj
Static task
static1
Behavioral task
behavioral1
Sample
RFQ-SW M-0013091-DHABI HARDWARE.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
RFQ-SW M-0013091-DHABI HARDWARE.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
extnet.dll
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
extnet.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral5
Sample
jli.dll
Resource
win7-20240708-en
Behavioral task
behavioral6
Sample
jli.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral7
Sample
msvcpcore.dll
Resource
win7-20240704-en
Behavioral task
behavioral8
Sample
msvcpcore.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral9
Sample
prefs.dll
Resource
win7-20240704-en
Behavioral task
behavioral10
Sample
prefs.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral11
Sample
vcruntime140.dll
Resource
win7-20240704-en
Behavioral task
behavioral12
Sample
vcruntime140.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral13
Sample
vcruntime140_1.dll
Resource
win7-20240708-en
Behavioral task
behavioral14
Sample
vcruntime140_1.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral15
Sample
winsxspv.dll
Resource
win7-20240705-en
Behavioral task
behavioral16
Sample
winsxspv.dll
Resource
win10v2004-20240709-en
Malware Config
Extracted
Protocol: ftp- Host:
ftp.ercolina-usa.com - Port:
21 - Username:
[email protected] - Password:
uy,o#mZj8$lY
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.ercolina-usa.com - Port:
21 - Username:
[email protected] - Password:
uy,o#mZj8$lY
Targets
-
-
Target
RFQ-SW M-0013091-DHABI HARDWARE.exe
-
Size
24KB
-
MD5
9f6938e89824ccce04a9272087dec776
-
SHA1
7f19bee228698f4b0bb90b40c6ca2bcadc326a66
-
SHA256
b500874cd5939223c2b7cb52134bef3a3bf6ab1c1d112bf27c6b5e5b15f8177f
-
SHA512
e0052a1bcf5d5ab910da6541c51338e1215a265e8521260bf08ab00ac0320653dafab565ef616d7f1192fb55d4b0feb1666b1a73fcc7b08ae0ac0e625f4b67e1
-
SSDEEP
384:eM4cghl1oqCrKFf4H5A2eFP27xWkVbgWUlIx4cNWcG0FP27NBY3Yuv+ivM:WSqbFQH5iKxnVbgvqxNNZK/Y/+
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
extnet.dll
-
Size
24KB
-
MD5
09933bf55c8ebf5e8cf1feb176481801
-
SHA1
c1c20be9a15ecccf6aaa480af2393ca636809f32
-
SHA256
0f3c856246dd80f30c849156253a5c29ec3e129e366fdd51d2ca8823a516c3e9
-
SHA512
f012f7e803afc67a6b8055ac07632f611be49b11f8f41bd06a24f5cc93ad7edbdbb34c732267b98bcc254382b570cf923e04edadf1482cf01a47e4908fb4c3ca
-
SSDEEP
384:sV18LnUTFTr7UqCdCFP27xWkVbgWUlIx4c5WDf/U0FP27NBY3Yuv+XCoN:VjUTuNEKxnVbgvqxN5sK/Y/+XCoN
Score1/10 -
-
-
Target
jli.dll
-
Size
1.8MB
-
MD5
bcb0241f3d342932863f1812e7e59d7c
-
SHA1
b5d6da864148f16cbcfef7ea9afd2c82e7f1e30c
-
SHA256
99f65e231e2ce3ff798cc131b123a213faa5fe329154db02611201317c45e091
-
SHA512
124cde5670ce7ff3c870cc68aeb3225bfd839114ba3e9b4e10a40f23cafb31478d2a55db152c6e06b3ff740cf7b7115c149dc2796e924cea24bb41563aec15f9
-
SSDEEP
24576:3x9Cm6pOSgrbtR/UDI2KNc32ybHAaD835rkbqO1UkTrclCPIdkgVmdnALoBhkw2:3x9Cm6ASgrbtFUDXTA7gMMPIxYyLgGr
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
msvcpcore.dll
-
Size
244KB
-
MD5
840783b067071df45f8562218277ed91
-
SHA1
845763f4923bc3e7f3a195f60ca54757626eb114
-
SHA256
97111473c6ada4542a52cf980d3c97bcc8ba5907d7a219f3fab7478cf2ea1aea
-
SHA512
ad80b794b1067113e6d602226a3902fd19dbbd46a9ac60f583c6502b8be9a628a639ee2c465f28aa7731bc549d6f1186d40379843be8621301c3d2f5a0e53f2f
-
SSDEEP
6144:rH2kUt9qWrmywGtXklfR3C7m779Ezm+CEOzECvCZ721:rW/9qnywGcZ3xM+3CZY
Score1/10 -
-
-
Target
prefs.dll
-
Size
26KB
-
MD5
9b6280e64b6d89b03b67db84b54aaa93
-
SHA1
5fdd63567326fc0f507b3dac86ec4297fde166d0
-
SHA256
8897b9d5734146ecc34cf7ab7d5dbbc3798db54da731b324d1b41c2bdb0efe64
-
SHA512
b6b6eba5da72a5561cb6c19abdcabe4e364c7d293db3ad5672532a058e83abe94a7fc2c8ab352812079057c7403aa3580df08a141144ac4625ed8c26d18cc1a7
-
SSDEEP
768:e3sZ6lhi5opYD75YpKxnVbgvqxNdliK/Y/+8U:Uk0s5SYD76pKxnKvKNdliK/WU
Score1/10 -
-
-
Target
vcruntime140.dll
-
Size
107KB
-
MD5
146eb6b29080a212b646289808ae0818
-
SHA1
e5d9801f226ecd3af662df225f751ae8a8934357
-
SHA256
f66c606d2ee6bbca375ab4268b0c6aef5170a4ca580a00e17a56057a7a127743
-
SHA512
0824b42ca2539709f77134ffea9c10fc9f4c126b6a309bd5d3ddd02a660ef98d63b178219d83b173340798c479a1008c2d4f57830898673043fee2450a210a58
-
SSDEEP
3072:y67mylIhkoQpdK9H9YOecbKV02pKuKLK/M:7iylZoQwH93ecbKCR72/M
Score1/10 -
-
-
Target
vcruntime140_1.dll
-
Size
49KB
-
MD5
c106bef63b8db2f32de277b0c314249f
-
SHA1
b172b5809f95bd4f4181fe30c30368b50a27f08a
-
SHA256
dced523e24b4374522c86f7bbfc0ac8d8e1078336492629722081339adaad9ba
-
SHA512
77aab947ffec187f054c68899f2b4186a53b2901fb74ee6702586c1207a4abea238c64da0aa3ebe56695c31606b315f9a6289ca1748e9770fcfca5816e7e6580
-
SSDEEP
768:+Cm5yhUcwrHY/ntTxT6ovF7IVwwIl9znKxnVbgvqxNJUoK/Y/+b:lOHc16opIVwwI3znKxnKvKNJUoK/x
Score1/10 -
-
-
Target
winsxspv.dll
-
Size
288B
-
MD5
34a77ab02e849e3a5fca69b22dc5b4b8
-
SHA1
944ea6c33d3ce4ea272a7cb19dedb74175a97897
-
SHA256
f99553cee956e85d200d6b9872d6c52c0143be489dbd0998dff4d60122641719
-
SHA512
a125725bb1966fbd0e256a1fd0a05a39ec63b14d6e10b2a4897d83b8f89f36f1fb1fb1c6a0c0bd100ef82dada8ab3db98ef0e75d54d918f245918d78b007bcfd
Score1/10 -
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1