Overview

overview

10

Static

static

3

Invoice.exe

windows7-x64

10

Invoice.exe

windows10-2004-x64

10

Pics.exe

windows7-x64

10

Pics.exe

windows10-2004-x64

10

Products drawing.exe

windows7-x64

10

Products drawing.exe

windows10-2004-x64

10

Quotation ...es.exe

windows7-x64

10

Quotation ...es.exe

windows10-2004-x64

10

Resubmissions

02-09-2024 02:44

240902-c8nlnszbmj 10

25-08-2024 17:39

240825-v8my9axfql 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c13e1be685dc71ead26117e72e44ff37_JaffaCakes118

  • Size

    2.0MB

  • Sample

    240902-c8nlnszbmj

  • MD5

    c13e1be685dc71ead26117e72e44ff37

  • SHA1

    4d2dc17cfb31fbaa43a6fe960da751e5f7dfe9be

  • SHA256

    ab3043b6f2321bdc9cec4d04b828e293ac1d1f41786494ac8272046d1bdb4663

  • SHA512

    13d8afe6ba68d6aaaf6018478558c6524c38e8ac6190903c1c86d2b5172f0f9aefc945e6f4596c796181d1bc51df847044f08fda77cdf33f0d778e8d5825704d

  • SSDEEP

    49152:2yFMwdzg/oFuJxysHr4qVn9T0bpw+3RSvZZJpou9fyi0N:2k3dzA5OdoZboml0N

Score
10/10
agentteslahawkeyematiexcollectioncredential_accessdiscoveryexecutionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.privateemail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    MARYolanmauluogwo@ever

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.privateemail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    MARYolanmauluogwo@ever

Extracted

Family

matiex

Credentials

  • Protocol:     smtp
  • Host:
    smtp.privateemail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    MARYolanmauluogwo@ever

Targets

    • Target

      Invoice.exe

    • Size

      502KB

    • MD5

      904caccef3f65e9229a12d2fe7b7041a

    • SHA1

      0f9c30fc80338e85bb20c047b30885d4c3adf5e1

    • SHA256

      24fb7946550f1ce880b6e96318c2ce6cdb993679db6a9e2c34c6e809fab35c64

    • SHA512

      0a95935977872eebe60ca83c58ae25338d68792a7e86bbf5605a8a4219deaf67e9418b187fa4e0444277d69c20e67f703e7cea3cc1d2c588bc0990b8c80c6bbe

    • SSDEEP

      12288:vFda+Fda3FQMGhfwkD3gDLWCIWBz18taUAf:gFpGhfw+oCZqOt

    Score
    10/10
    agentteslacollectioncredential_accessdiscoveryexecutionkeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla payload

    • Beds Protector Packer

      Detects Beds Protector packer used to load .NET malware.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Drops startup file

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      Pics.exe

    • Size

      806KB

    • MD5

      676dda52e0fec9f49caee414127de4ef

    • SHA1

      6d95db4649588997b3b53b5e95aecb67047ba3ae

    • SHA256

      20f5a9a0987d95a8b22df5c60e246d85259ec8893d0d6f3c7fdfeecb066e6b07

    • SHA512

      ac1dc1bc932c503360119c713b3ae0d81331f1f36838e2b26dab1c8a80e5c4f7df57df19ad6c59cbc8f2f77d02f77fd9f9919cd5be8310ef17ce15d25126ccfb

    • SSDEEP

      12288:fFda+FdaiFQMGqfwkD4KyN5U97OlIhvGPC10KnLkwvsdir8EwBxAOpWerOR8AtsF:VFpGqfwBtN0j10KLkwQiYHsv6At

    Score
    10/10
    hawkeyecollectioncredential_accessdiscoveryexecutionkeyloggerpersistencespywarestealertrojan

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

      keyloggertrojanstealerspywarehawkeye

    • Beds Protector Packer

      Detects Beds Protector packer used to load .NET malware.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Drops startup file

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

    • Target

      Products drawing.exe

    • Size

      501KB

    • MD5

      59eb6cff844446f0e44f2d3d85f85a9e

    • SHA1

      c0f7887016df63c80647c4fca82b979dc18ff010

    • SHA256

      1339a751e36cce726e3d808cfad7cd81c7f0712103a9c26a65acaf8c573f97b5

    • SHA512

      456f66a52e7fab312d226be645d4543fa9156944fb1fc7265aa75a316c29aa6f994cf3e2eccc93c2837b9b9c9f904b2cee7e08078604d51c7496f11635948f2f

    • SSDEEP

      12288:XFda+Fda/cQS84fwkDB1vSYVGJRu1ujK8q+TXmXTtt7Af:ccn84fwE1fVaFK8NSt

    Score
    10/10
    agentteslacollectioncredential_accessdiscoveryexecutionkeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla payload

    • Beds Protector Packer

      Detects Beds Protector packer used to load .NET malware.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Drops startup file

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral5behavioral6

    • Target

      Quotation and Prices.exe

    • Size

      730KB

    • MD5

      6d991f93327f70488011bf06ba799930

    • SHA1

      1b630a8c337cc48f9ec41cccc4352f51e7d51e71

    • SHA256

      abfc5a0bbf24e3dbc1c76c0734ea0b1ed6a0d5ff6f44f2a5a3e4e2f9317118c3

    • SHA512

      181be4ad5a549d51461fd8c9a470abac2895f51b5ec1cdba6927644ca0e8fb91663d8635ed5c98f4a90ae2752eb98b3235f106ee2d009cc885bdf6d0faadfe70

    • SSDEEP

      12288:tFda+FdahcQS8zfwkD/j1UGmy7eaqwVlXN8eR5dKFLtnoAf:8cn8zfwa1Dmyxrd8eqLt

    Score
    10/10
    matiexcollectioncredential_accessdiscoveryexecutionkeyloggerspywarestealer

    • Matiex

      Matiex is a keylogger and infostealer first seen in July 2020.

      stealerkeyloggermatiex

    • Matiex Main payload

    • Beds Protector Packer

      Detects Beds Protector packer used to load .NET malware.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Drops startup file

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral7behavioral8

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scripting

1
T1064

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Scripting

1
T1064

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

5
T1552

Credentials In Files

4
T1552.001

Credentials in Registry

1
T1552.002

Discovery

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

4
T1005

Email Collection

2
T1114

Command and Control

Exfiltration

Impact

Tasks

static1

Score
3/10

behavioral1

agentteslacollectioncredential_accessdiscoveryexecutionkeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral2

agentteslacollectioncredential_accessdiscoveryexecutionkeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral3

hawkeyecollectioncredential_accessdiscoveryexecutionkeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral4

hawkeyecollectioncredential_accessdiscoveryexecutionkeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral5

agentteslacollectioncredential_accessdiscoveryexecutionkeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral6

agentteslacollectioncredential_accessdiscoveryexecutionkeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral7

matiexcollectioncredential_accessdiscoveryexecutionkeyloggerspywarestealer
Score
10/10

behavioral8

matiexcollectioncredential_accessdiscoveryexecutionkeyloggerspywarestealer
Score
10/10