Overview

overview

10

Static

static

3

RFQ-SW M-0...RE.exe

windows7-x64

10

RFQ-SW M-0...RE.exe

windows10-2004-x64

10

RFQ-SW M-0...et.dll

windows7-x64

1

RFQ-SW M-0...et.dll

windows10-2004-x64

1

RFQ-SW M-0...li.dll

windows7-x64

10

RFQ-SW M-0...li.dll

windows10-2004-x64

10

RFQ-SW M-0...re.dll

windows7-x64

1

RFQ-SW M-0...re.dll

windows10-2004-x64

RFQ-SW M-0...fs.dll

windows7-x64

1

RFQ-SW M-0...fs.dll

windows10-2004-x64

1

RFQ-SW M-0...40.dll

windows7-x64

1

RFQ-SW M-0...40.dll

windows10-2004-x64

1

RFQ-SW M-0..._1.dll

windows7-x64

1

RFQ-SW M-0..._1.dll

windows10-2004-x64

1

Resubmissions

07-08-2024 14:11

240807-rhfwgazbpl 10

07-08-2024 12:54

240807-p5qcbayfqk 10

05-08-2024 08:07

240805-j1er5avcph 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a72b72b5cfd4c710c3b61798a99126df9cb3cc10d6ee6933dadeb65cbb7b0247

  • Size

    933KB

  • Sample

    240807-p5qcbayfqk

  • MD5

    9c3b9f7105ab643df87d6e35dc9e1cf1

  • SHA1

    b6d32d06279d17d99d7df411bb8ff8e6f95f8e5b

  • SHA256

    a72b72b5cfd4c710c3b61798a99126df9cb3cc10d6ee6933dadeb65cbb7b0247

  • SHA512

    614616423550f7aeddd4264cf8db6671689d2c6e50ac3e9a3acd278b00915ddbf5ca8842c8969b4ed2ef43524dc84ab6342961eeffbedaecba7eae2d79b2778b

  • SSDEEP

    24576:TrFWl7FgUTU99lLhcwgs6UNgjMQXBcr74E3Hw:TraZhw99lL9gdFvxcrEEg

Score
10/10
agentteslacredential_accessdiscoverykeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.ercolina-usa.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    uy,o#mZj8$lY

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.ercolina-usa.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    uy,o#mZj8$lY

Targets

    • Target

      RFQ-SW M-0013022-DHABI HARDWARE/RFQ-SW M-0013091-DHABI HARDWARE.exe

    • Size

      24KB

    • MD5

      9f6938e89824ccce04a9272087dec776

    • SHA1

      7f19bee228698f4b0bb90b40c6ca2bcadc326a66

    • SHA256

      b500874cd5939223c2b7cb52134bef3a3bf6ab1c1d112bf27c6b5e5b15f8177f

    • SHA512

      e0052a1bcf5d5ab910da6541c51338e1215a265e8521260bf08ab00ac0320653dafab565ef616d7f1192fb55d4b0feb1666b1a73fcc7b08ae0ac0e625f4b67e1

    • SSDEEP

      384:eM4cghl1oqCrKFf4H5A2eFP27xWkVbgWUlIx4cNWcG0FP27NBY3Yuv+ivM:WSqbFQH5iKxnVbgvqxNNZK/Y/+

    Score
    10/10
    agentteslacredential_accessdiscoverykeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      RFQ-SW M-0013022-DHABI HARDWARE/extnet.dll

    • Size

      24KB

    • MD5

      09933bf55c8ebf5e8cf1feb176481801

    • SHA1

      c1c20be9a15ecccf6aaa480af2393ca636809f32

    • SHA256

      0f3c856246dd80f30c849156253a5c29ec3e129e366fdd51d2ca8823a516c3e9

    • SHA512

      f012f7e803afc67a6b8055ac07632f611be49b11f8f41bd06a24f5cc93ad7edbdbb34c732267b98bcc254382b570cf923e04edadf1482cf01a47e4908fb4c3ca

    • SSDEEP

      384:sV18LnUTFTr7UqCdCFP27xWkVbgWUlIx4c5WDf/U0FP27NBY3Yuv+XCoN:VjUTuNEKxnVbgvqxN5sK/Y/+XCoN

    Score
    1/10
    behavioral3behavioral4

    • Target

      RFQ-SW M-0013022-DHABI HARDWARE/jli.dll

    • Size

      1.4MB

    • MD5

      7abb3a175bebea9db72667f6bbad3991

    • SHA1

      702b6d1756484eb284ac3d29d85f7037ff1bb944

    • SHA256

      f8062187de8879601b16565ba93aaa404914fda143adb0ab405f536428bfc454

    • SHA512

      bf39307d6df14e77c0942505987c2e0af4dfff36ad081b5d137eeb9640df671a2c8775cec7db37f6dcbe739a88b109035f8b7fe2e5b389efff003eface3ef457

    • SSDEEP

      24576:IQ+OuL3KOCmq+iGBosR0560crMCnWbU1UtCmB2Fkjr1LXXMCmJ0N6JWM940db:IQjUT054rMFCmB2FkjrdX4a01

    Score
    10/10
    agentteslacredential_accessdiscoverykeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral5behavioral6

    • Target

      RFQ-SW M-0013022-DHABI HARDWARE/msvcpcore.dll

    • Size

      244KB

    • MD5

      9efaf24a8c82976797452b16cc82cd61

    • SHA1

      fe577f7b5c7b4b40b54df6bf38d6eacdbdae3869

    • SHA256

      d2640150cb5ad34dfb815f9070ddf418d8c27b17c1a64185e7f8a10c732d23cf

    • SHA512

      c96e8eaeb153f6e001d84ee56b34908c7b86ff35873c3d6c82efb9e564f85d11d3e92cb60f037bd318a3b4d68b54e1ab0539e99d8a8f139c3fa7649b68ea0e4a

    • SSDEEP

      6144:/NIo3O0jW+QS/zaaZ2EW7CNHIy9+POfqzQMSGgQafXwI:D/i+ejElNoyoPTMZ7QMXwI

    Score
    1/10
    behavioral7behavioral8

    • Target

      RFQ-SW M-0013022-DHABI HARDWARE/prefs.dll

    • Size

      26KB

    • MD5

      9b6280e64b6d89b03b67db84b54aaa93

    • SHA1

      5fdd63567326fc0f507b3dac86ec4297fde166d0

    • SHA256

      8897b9d5734146ecc34cf7ab7d5dbbc3798db54da731b324d1b41c2bdb0efe64

    • SHA512

      b6b6eba5da72a5561cb6c19abdcabe4e364c7d293db3ad5672532a058e83abe94a7fc2c8ab352812079057c7403aa3580df08a141144ac4625ed8c26d18cc1a7

    • SSDEEP

      768:e3sZ6lhi5opYD75YpKxnVbgvqxNdliK/Y/+8U:Uk0s5SYD76pKxnKvKNdliK/WU

    Score
    1/10
    behavioral10behavioral9

    • Target

      RFQ-SW M-0013022-DHABI HARDWARE/vcruntime140.dll

    • Size

      107KB

    • MD5

      146eb6b29080a212b646289808ae0818

    • SHA1

      e5d9801f226ecd3af662df225f751ae8a8934357

    • SHA256

      f66c606d2ee6bbca375ab4268b0c6aef5170a4ca580a00e17a56057a7a127743

    • SHA512

      0824b42ca2539709f77134ffea9c10fc9f4c126b6a309bd5d3ddd02a660ef98d63b178219d83b173340798c479a1008c2d4f57830898673043fee2450a210a58

    • SSDEEP

      3072:y67mylIhkoQpdK9H9YOecbKV02pKuKLK/M:7iylZoQwH93ecbKCR72/M

    Score
    1/10
    behavioral11behavioral12

    • Target

      RFQ-SW M-0013022-DHABI HARDWARE/vcruntime140_1.dll

    • Size

      49KB

    • MD5

      c106bef63b8db2f32de277b0c314249f

    • SHA1

      b172b5809f95bd4f4181fe30c30368b50a27f08a

    • SHA256

      dced523e24b4374522c86f7bbfc0ac8d8e1078336492629722081339adaad9ba

    • SHA512

      77aab947ffec187f054c68899f2b4186a53b2901fb74ee6702586c1207a4abea238c64da0aa3ebe56695c31606b315f9a6289ca1748e9770fcfca5816e7e6580

    • SSDEEP

      768:+Cm5yhUcwrHY/ntTxT6ovF7IVwwIl9znKxnVbgvqxNJUoK/Y/+b:lOHc16opIVwwI3znKxnKvKNJUoK/x

    Score
    1/10
    behavioral13behavioral14

MITRE ATT&CK Enterprise v15

Tasks