General
-
Target
nQuotation.lzh
-
Size
1.0MB
-
Sample
241105-tfm8wawqem
-
MD5
0e359e0015e712e892ec5b680c68cfcc
-
SHA1
62e4dffb7bdd5011e8715ffdbd4ff6a9cdaaa827
-
SHA256
1612a197144adfe1b30ca1c680e93d2ee916d46be0b7b163bf5afb212cff4155
-
SHA512
d7c2291f78c6dbbceb90061e6a20b08f575641cae0d76c8e0d8b30d307d4e878af81e0053f6291e95c3a6ca5991230f6097b43601140b06b48faec50fc314daf
-
SSDEEP
24576:8+Nd8zfriTrzIEkO50kgaVJRxie41v3NN+asZIp3Ks7:qcrUEf+BIYe8PGcKs7
Static task
static1
Behavioral task
behavioral1
Sample
Quotation.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Quotation.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.showpiece.trillennium.biz - Port:
587 - Username:
[email protected] - Password:
3KJ[T.3]fsSW - Email To:
[email protected]
Targets
-
-
Target
Quotation.exe
-
Size
1.1MB
-
MD5
816b7984251ee4c846a7f0d6160624e2
-
SHA1
be82357d711260a412103e7fde8785febd060974
-
SHA256
648ee80543d70f070c497309e4c7ce090254374da938799074de93bdaafaff5a
-
SHA512
81e035b9ffd16b8a31ab23f1d2bf621954cd42b8c0fdf0daffbac12f1964d41d949af68a06259e27bcc8163221cbfdb05f300eca7151ff901a2bcd36ca8b7a4c
-
SSDEEP
24576:G4nhDoAFAcvHumQbl7nu5v12dUC5YpdBNFQWEZNXLGQ7WczkxFnfbP9:G+hkJcvfyl7nu5vaUCMd5iNXKQKczg
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
Guloader family
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
$PLUGINSDIR/System.dll
-
Size
12KB
-
MD5
d6f54d2cefdf58836805796f55bfc846
-
SHA1
b980addc1a755b968dd5799179d3b4f1c2de9d2d
-
SHA256
f917aef484d1fbb4d723b2e2d3045cb6f5f664e61fbb3d5c577bd1c215de55d9
-
SHA512
ce67da936a93d46ef7e81abc8276787c82fd844c03630ba18afc3528c7e420c3228bfe82aeda083bb719f2d1314afae913362abd1e220cb364606519690d45db
-
SSDEEP
192:acA1YOTDExj7EFrYCT4E8y3hoSdtTgwF43E7QbGPXI9uIc6w79Mw:RR7SrtTv53tdtTgwF4SQbGPX36wJMw
Score3/10 -
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1