General
-
Target
09705f03e3cd697bab38eb3a5c1c551bf6269c77f82eabb9a94871939b59170f
-
Size
790KB
-
Sample
240803-bxs7caydkl
-
MD5
c17695e30b4eca8c1ea15dfc6b4741f7
-
SHA1
3aad8f4df2826bf777654a39af944011ead7cb1b
-
SHA256
09705f03e3cd697bab38eb3a5c1c551bf6269c77f82eabb9a94871939b59170f
-
SHA512
8e0f8b79a82792caa152542fda3d7a11ba7da341267ca84eab3935a8f96b6aa887703e1a4d43178196e93d70afb1b71a08fa299ed386e0b812d54fc2f387d206
-
SSDEEP
24576:nMTsaArNuC1Un3ld9AYt75cAdwAnflsA2:ndPrW3l7PuAnflsA2
Behavioral task
behavioral1
Sample
09705f03e3cd697bab38eb3a5c1c551bf6269c77f82eabb9a94871939b59170f.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
09705f03e3cd697bab38eb3a5c1c551bf6269c77f82eabb9a94871939b59170f.exe
Resource
win10v2004-20240802-en
Malware Config
Extracted
redline
biss
172.81.131.198:16383
Extracted
agenttesla
https://api.telegram.org/bot7390139954:AAFw-89dzufZnN9iQ-qMJ7xuGsXRrzvXAEI/
Targets
-
-
Target
09705f03e3cd697bab38eb3a5c1c551bf6269c77f82eabb9a94871939b59170f
-
Size
790KB
-
MD5
c17695e30b4eca8c1ea15dfc6b4741f7
-
SHA1
3aad8f4df2826bf777654a39af944011ead7cb1b
-
SHA256
09705f03e3cd697bab38eb3a5c1c551bf6269c77f82eabb9a94871939b59170f
-
SHA512
8e0f8b79a82792caa152542fda3d7a11ba7da341267ca84eab3935a8f96b6aa887703e1a4d43178196e93d70afb1b71a08fa299ed386e0b812d54fc2f387d206
-
SSDEEP
24576:nMTsaArNuC1Un3ld9AYt75cAdwAnflsA2:ndPrW3l7PuAnflsA2
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
SectopRAT payload
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
5Credentials In Files
4Credentials in Registry
1