Overview

overview

10

Static

static

3

Bloodlike.exe

windows7-x64

7

Bloodlike.exe

windows10-2004-x64

10

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    19092024_0039_18092024_Bloodlike.gz

  • Size

    688KB

  • Sample

    240919-azvyaa1gna

  • MD5

    4d889df0aaaff199fc81ab2e7e537691

  • SHA1

    1f482370a288d3bb9a1a9141421ce469362fc16a

  • SHA256

    3ed15d1915a0408416f2db5a1c89a8b628b73428f3f768ae5ded17783f88ea27

  • SHA512

    7b7439528dd4b98a28fff3b72607fad6b041d2b8b746736d3b1ca7941c4ef7b93e8de451096b52837920d230dd1462101392b4d79d4360056e92a6aba64ac6b7

  • SSDEEP

    12288:iilMWo3J0//6gDQuAb6f/LA6Oh9P9LhtS6uWbhLIKinc0CeDu3JZXjDKrGWybWcF:iilHo3iq2IbW/cbVtDLuWbILgRjaybWk

Score
10/10
agentteslaguloadercredential_accessdiscoverydownloaderexecutionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://mail.hearing-vision.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    LILKOOLL14!

Targets

    • Target

      Bloodlike.exe

    • Size

      750KB

    • MD5

      3471130ee839f6cba7abaf6111fa2d95

    • SHA1

      7a2222ba4034d054e6f976835e4139286f1d3d00

    • SHA256

      2147f70eb8ebf3d80eef30e2e6e9d75758294682d052a954af53510087bfa512

    • SHA512

      d6a93951f206174472377faf0b20df7fd5638389f4489b310d2679b91b3e6dba36a98dccd6f000adfbe3546238d90cb6813410b1dc3b1b355ee934dac79b7d02

    • SSDEEP

      12288:lXZEFyI2w//6CDquAh67/bAAkh9B9LbtS+OWbhxIK0Hc0CeD43JZHVDwrG8qjWK3:lXeFbRqkGhg/sJTthtOWb4riRVmqjWJ6

    Score
    10/10
    discoveryexecutionagentteslaguloadercredential_accessdownloaderkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/nsExec.dll

    • Size

      7KB

    • MD5

      11092c1d3fbb449a60695c44f9f3d183

    • SHA1

      b89d614755f2e943df4d510d87a7fc1a3bcf5a33

    • SHA256

      2cd3a2d4053954db1196e2526545c36dfc138c6de9b81f6264632f3132843c77

    • SHA512

      c182e0a1f0044b67b4b9fb66cef9c4955629f6811d98bbffa99225b03c43c33b1e85cacabb39f2c45ead81cd85e98b201d5f9da4ee0038423b1ad947270c134a

    • SSDEEP

      96:JgzdzBzMDhOZZDbXf5GsWvSv1ckne94SDbYkvML1HT1fUNQaSGYuHIDQ:JDQHDb2vSuOc41ZfUNQZGdHA

    Score
    3/10
    discovery
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks