Overview

overview

10

Static

static

3

AGM9508218...df.exe

windows7-x64

10

AGM9508218...df.exe

windows10-2004-x64

10

INVOICE X2X6660.exe

windows7-x64

10

INVOICE X2X6660.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    c7c05d0d5395bf483f228da01c4b804ffaba480fc1012ca5377b7040ac77a933

  • Size

    1.3MB

  • Sample

    241014-h4ljeawemk

  • MD5

    ec392ffc0dc14130bc6d8bdc2d5d292a

  • SHA1

    7c5eb935f92486f6cef1cfaf01adc02a1ca3978c

  • SHA256

    c7c05d0d5395bf483f228da01c4b804ffaba480fc1012ca5377b7040ac77a933

  • SHA512

    43640c8485e7bb3b0c494292616e326fa36c425e96816eaa0c684cd225a99027e2adeda4dadec00d1312f84c8be6c55035e27894189ba1d23e1b0e059e757f5f

  • SSDEEP

    24576:iK0Lcqbpe5PKKu8VPvrOIr6HbbB5OhIMVJwhzWKWPiqNQ66qB:dx0pexRVPvCIWHb67wtWpPiaQzqB

Score
10/10
agentteslavipkeyloggercollectiondiscoveryexecutionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7413187928:AAHgub3UE5yP-qCeiBRX5XXLLxf5beHmSTM/sendMessage?chat_id=2126102657

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot6562806943:AAGufR13-622BXIjHsbpmkQygiIJA1Vo--c/

Targets

    • Target

      AGM9508218Q7FD027178.pdf.exe

    • Size

      766KB

    • MD5

      28ab515fcf945bbc6213ca8b8db9b749

    • SHA1

      a87037d2a921c46f1f5295c483344240ccf56507

    • SHA256

      983261d4e48b0cd813d8043ed014f06bb66f08be2b67926a7ca7445a1984a10c

    • SHA512

      5d69c3ecae4d91005e7090b934b9219979d5c807b02f835280f4690dd5c1e50db1b9647584b6e34c5277ae8fdfede64d1f86081fd154814a48ef81bea4d263f4

    • SSDEEP

      12288:eL3DzHZno/kcNSwCtWKePQhP64S+gPV49iLpWd20u8Aby2H/AoeyNWqp:eL3DzH9oMcklt6IwUQWgv8Aby2Hooeyh

    Score
    10/10
    vipkeyloggercollectiondiscoveryexecutionkeyloggerstealer

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

      stealerkeyloggervipkeylogger

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      INVOICE X2X6660.exe

    • Size

      735KB

    • MD5

      5767a02df8f052b3ae22b26235e5b867

    • SHA1

      1005629a074fe5941ff657aabf2743b0c23d0fdf

    • SHA256

      e6cfb49fd8ae87880763a16c38be85e5354acda0c87a19348cf8aff8806499a7

    • SHA512

      a89a2b1973a6026032caa987492be0ff516007c6d62fbd1bdb586cbde64a50f2ab4cf64f29875814d45418b29f55032059947eec98fbc670c8577c9f0d59c386

    • SSDEEP

      12288:FL3H2OHZno/5rh61y4rKNyjgYyBdFAxzuHjTGmbTrBw11g0DqyQc+3btWqpN:FL3WOH9oxkyY+bYQdFIzRmBogvFcsbM0

    Score
    10/10
    agenttesladiscoveryexecutionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks