General
-
Target
3da88076ffc753bc3ddd5238365b3140f3db65b45f9ef363beaa5e9111c15f96
-
Size
1.1MB
-
Sample
240728-h5cynavcmr
-
MD5
57feeab5dd99b695874f72410e3fd3f5
-
SHA1
acb74312dc7880873e6828fb74e02c1797021dd6
-
SHA256
3da88076ffc753bc3ddd5238365b3140f3db65b45f9ef363beaa5e9111c15f96
-
SHA512
bef427431a0a345123e87360887b8d564309d732c251a345f0d1a221234f239b057f09b2205ef19cc4914e72b509d336b6e2df3f1bd43e73a008cc5af4314ab8
-
SSDEEP
24576:mjvslQRrENaTPRCChDwYd4oyxqY+xQziQn/Qqsuf+lN:csl8rEkRC8ZyqYrHGlN
Static task
static1
Behavioral task
behavioral1
Sample
7adc48b32358c405fdb502f2b868288b3757940b2b54e0b6787b1a7a242b3579.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
7adc48b32358c405fdb502f2b868288b3757940b2b54e0b6787b1a7a242b3579.exe
Resource
win10v2004-20240709-en
Malware Config
Extracted
redline
cetry
204.14.75.2:16383
Extracted
agenttesla
https://api.telegram.org/bot7390139954:AAFw-89dzufZnN9iQ-qMJ7xuGsXRrzvXAEI/
Targets
-
-
Target
7adc48b32358c405fdb502f2b868288b3757940b2b54e0b6787b1a7a242b3579.exe
-
Size
1.2MB
-
MD5
57b81f3bfbd7e82065190ea6a2f59849
-
SHA1
2af119b418045b812b3b05f3d5385b11bfa89e91
-
SHA256
7adc48b32358c405fdb502f2b868288b3757940b2b54e0b6787b1a7a242b3579
-
SHA512
345ddaa582bce12408cc2468a0f291c81578bf4f8bc4b5544c23b4a1c81fa5eef523bac425f0131237cce94ea04feb39f24226dae0933663473f6b230475d314
-
SSDEEP
24576:FY14/4rJAmk0U5hQ/Js4KvodVuI14/4r4zSHRm4Fc9R/p7ga1y8VP28ZSB6Q:FYaglZk5y/J3KvmVjagTQpmvyC
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
SectopRAT payload
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
5Credentials In Files
4Credentials in Registry
1