General
-
Target
c70afb606221a72c84de5fbd45fec4fd1a20f5660aada89d3d077f6b07b000a3.exe
-
Size
1.1MB
-
Sample
241026-c4p9pswkdr
-
MD5
be6a834da8ecf8227b52d4b70dabc6d4
-
SHA1
bd6561c114620ebfece9bb582984466521799057
-
SHA256
c70afb606221a72c84de5fbd45fec4fd1a20f5660aada89d3d077f6b07b000a3
-
SHA512
6bdcd1d1784b65170ce40308375101a808b0fbbfdb598b0fb6e3c0d76b3094e4aad561a66b5f0dff4c1f771228e10cb5e6fa84d185917c76f75140ec665ea1b0
-
SSDEEP
12288:5g3nx+EghYzypKIsgz7GRFmgk9iLUxCm9P:2LgSuKIXYFmbFxCwP
Static task
static1
Behavioral task
behavioral1
Sample
c70afb606221a72c84de5fbd45fec4fd1a20f5660aada89d3d077f6b07b000a3.exe
Resource
win7-20240903-en
Malware Config
Extracted
xworm
5.0
212.162.149.53:7071
TY63fKZqa6RHKwzW
-
Install_directory
%AppData%
-
install_file
USB.exe
Extracted
redline
FOZ
212.162.149.53:2049
Extracted
agenttesla
Protocol: smtp- Host:
s82.gocheapweb.com - Port:
587 - Username:
[email protected] - Password:
london@1759 - Email To:
[email protected]
Targets
-
-
Target
c70afb606221a72c84de5fbd45fec4fd1a20f5660aada89d3d077f6b07b000a3.exe
-
Size
1.1MB
-
MD5
be6a834da8ecf8227b52d4b70dabc6d4
-
SHA1
bd6561c114620ebfece9bb582984466521799057
-
SHA256
c70afb606221a72c84de5fbd45fec4fd1a20f5660aada89d3d077f6b07b000a3
-
SHA512
6bdcd1d1784b65170ce40308375101a808b0fbbfdb598b0fb6e3c0d76b3094e4aad561a66b5f0dff4c1f771228e10cb5e6fa84d185917c76f75140ec665ea1b0
-
SSDEEP
12288:5g3nx+EghYzypKIsgz7GRFmgk9iLUxCm9P:2LgSuKIXYFmbFxCwP
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
Detect Xworm Payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Redline family
-
Xworm family
-
Looks for VirtualBox Guest Additions in registry
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Virtualization/Sandbox Evasion
2