Resubmissions
18-09-2024 16:12
240918-tnhy5a1cmp 1016-08-2024 04:34
240816-e7ba3azckk 1016-08-2024 04:25
240816-e14zssyhpq 1016-08-2024 04:25
240816-e1x69ayhpk 315-08-2024 21:56
240815-1tbkka1fpq 1015-08-2024 21:47
240815-1nkw2swfre 1015-08-2024 21:46
240815-1m318s1cpr 315-08-2024 21:46
240815-1mkvnawflb 1013-08-2024 22:28
240813-2dvtyazbph 1025-06-2024 11:24
240625-nhwp5swhja 10General
-
Target
Downloaders.zip
-
Size
12KB
-
Sample
240918-tnhy5a1cmp
-
MD5
94fe78dc42e3403d06477f995770733c
-
SHA1
ea6ba4a14bab2a976d62ea7ddd4940ec90560586
-
SHA256
16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267
-
SHA512
add85726e7d2c69068381688fe84defe820f600e6214eff029042e3002e9f4ad52dde3b8bb28f4148cca1b950cd54d3999ce9e8445c4562d1ef2efdb1c6bdeff
-
SSDEEP
384:6BfwcSEp9ZjKXSBIDv4dDfjlMJ7HWTHWB:efACW6Dr8HWTHWB
Static task
static1
Malware Config
Extracted
vidar
https://t.me/edm0d
https://steamcommunity.com/profiles/76561199768374681
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 OPR/110.0.0.0
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
aowapnzgtwgqowgt - Email To:
[email protected]
Extracted
stealc
default
http://46.8.231.109
-
url_path
/c4754d4f680ead72.php
Targets
-
-
Target
Downloaders.zip
-
Size
12KB
-
MD5
94fe78dc42e3403d06477f995770733c
-
SHA1
ea6ba4a14bab2a976d62ea7ddd4940ec90560586
-
SHA256
16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267
-
SHA512
add85726e7d2c69068381688fe84defe820f600e6214eff029042e3002e9f4ad52dde3b8bb28f4148cca1b950cd54d3999ce9e8445c4562d1ef2efdb1c6bdeff
-
SSDEEP
384:6BfwcSEp9ZjKXSBIDv4dDfjlMJ7HWTHWB:efACW6Dr8HWTHWB
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect Vidar Stealer
-
Modifies security service
-
Phorphiex payload
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Creates new service(s)
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Event Triggered Execution: Image File Execution Options Injection
-
Sets service image path in registry
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Power Settings
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Enumerates processes with tasklist
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
2Service Execution
2Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
3Windows Service
3Event Triggered Execution
1Image File Execution Options Injection
1Power Settings
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
3Windows Service
3Event Triggered Execution
1Image File Execution Options Injection
1Defense Evasion
Impair Defenses
3Disable or Modify Tools
2Modify Registry
6Subvert Trust Controls
1Install Root Certificate
1