Overview

overview

10

Static

static

1

2410031168...IE.exe

windows7-x64

8

2410031168...IE.exe

windows10-2004-x64

10

Unengrossi...le.ps1

windows7-x64

3

Unengrossi...le.ps1

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    04102024_0113_03102024_241003116844_ZAMÓWIENIE.IMG

  • Size

    1.6MB

  • Sample

    241004-bk9zbswerq

  • MD5

    7f06fd7c2c7fb5b1b17db82e37ceb6cf

  • SHA1

    08014262378f4127a3237a8c9fd9ac111ceaa09a

  • SHA256

    69bfce6c185377b5047756d9cdbb5f029eda2dc8c3bbfcc0641da5ee4b94dedc

  • SHA512

    3ad5d387a1d70ccdf7020ee44931d3cfc831bed0a41cab09e7fce9d91e23508f7450ac934d0c8c8fb0c43c7248cb721b67e961094f6f0ce27f2078223b187df1

  • SSDEEP

    24576:GgD0Xah46clx/flW5y0DGeYongL84sNEQ:GgYXaefsZ3YoY84gj

Score
10/10
agenttesladiscoveryexecutionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.rusticpensiune.ro
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    hr,d@KUwa5llI%*RNL^J]g%8I;!;_Ne#G1h~lE!*86DAAD6#iLm$x)r+e1z$p+_Q,4_(f!};B?vD!IG?NqT[zOHNr6_nww[S]V?MlcYSt_QO

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.rusticpensiune.ro
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    hr,d@KUwa5llI%*RNL^J]g%8I;!;_Ne#G1h~lE!*86DAAD6#iLm$x)r+e1z$p+_Q,4_(f!};B?vD!IG?NqT[zOHNr6_nww[S]V?MlcYSt_QO

Targets

    • Target

      241003116844_ZAMÓWIENIE.exe

    • Size

      1005KB

    • MD5

      36c593a2ceb2680510f2094cd6e4010d

    • SHA1

      03f1e81a26c614bcac620bbcd7a90f078e7d6146

    • SHA256

      faa7829ce9f42c0f66f754bda78ed09257191d44be15b16583e1a2df1eceff64

    • SHA512

      0aef0057ec535bb8b892462b9859396ca59531913eeed4385e6680d1930d85fc1cec6ee12802fa3c4c397b2240f63850eba140179c92e3f4ce4a8baf15f1a9ca

    • SSDEEP

      24576:UgD0Xah46clx/flW5y0DGeYongL84sNEQj:UgYXaefsZ3YoY84gjj

    Score
    10/10
    discoveryexecutionagentteslakeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Blocklisted process makes network request

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      Unengrossing/Independable.Ovi

    • Size

      54KB

    • MD5

      9bb7bc97960fef33d8884cdca423c2dd

    • SHA1

      a316731a54a85c2b2c99be377b81196a08c81d7f

    • SHA256

      e03ca6b56a172df4b35a9862314b1c8993d4981923a7bca152b8324931f3b303

    • SHA512

      3b314d83e646b01e5e2506cb9d16101fe8f3f5ae1ee74291fd12ac6be5abb80ebc8c55cd19fd07050962bb4181d16ace9f12d3100f86ca6cf6962faecdef45d8

    • SSDEEP

      1536:h4gmjN3ekb38e9Q4rjWK2kO6qXmBIvNdMhsf6x/u6T:mP17x9QAjZlIm6/MSC

    Score
    8/10
    executionpersistence

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks