General
-
Target
59b03fee31c5c62caac3b05827d210553ce84a6e7c5ae43cb7d34f8242d9bae6.exe
-
Size
979KB
-
Sample
241112-cvkmvssfrj
-
MD5
411ad554068219f2ed0ce5e74f02d542
-
SHA1
917cc7780771e518c544338e24204471c54ec5fa
-
SHA256
59b03fee31c5c62caac3b05827d210553ce84a6e7c5ae43cb7d34f8242d9bae6
-
SHA512
6dbd1cffd8e580bb8737e00e6c85a63d8092edb2db2028d671241fc1223e58d254a13adfe1ee05574a98be8ec471566bba7d73e2d73d30ba1805d35615c3e090
-
SSDEEP
24576:i/Vwqfj3y6EQ4Dsv+G/9nRn0fyVPiDrNEtEBkvUEZmWwH+EP0R/tF25taZScLvci:0Vwqfj3y6EQ4Dsv+G/910fyVPiDrNEt1
Static task
static1
Behavioral task
behavioral1
Sample
59b03fee31c5c62caac3b05827d210553ce84a6e7c5ae43cb7d34f8242d9bae6.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
59b03fee31c5c62caac3b05827d210553ce84a6e7c5ae43cb7d34f8242d9bae6.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Overkeenly.ps1
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
Overkeenly.ps1
Resource
win10v2004-20241007-en
Malware Config
Extracted
Protocol: ftp- Host:
ftp.concaribe.com - Port:
21 - Username:
[email protected] - Password:
ro}UWgz#!38E
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.concaribe.com - Port:
21 - Username:
[email protected] - Password:
ro}UWgz#!38E
Targets
-
-
Target
59b03fee31c5c62caac3b05827d210553ce84a6e7c5ae43cb7d34f8242d9bae6.exe
-
Size
979KB
-
MD5
411ad554068219f2ed0ce5e74f02d542
-
SHA1
917cc7780771e518c544338e24204471c54ec5fa
-
SHA256
59b03fee31c5c62caac3b05827d210553ce84a6e7c5ae43cb7d34f8242d9bae6
-
SHA512
6dbd1cffd8e580bb8737e00e6c85a63d8092edb2db2028d671241fc1223e58d254a13adfe1ee05574a98be8ec471566bba7d73e2d73d30ba1805d35615c3e090
-
SSDEEP
24576:i/Vwqfj3y6EQ4Dsv+G/9nRn0fyVPiDrNEtEBkvUEZmWwH+EP0R/tF25taZScLvci:0Vwqfj3y6EQ4Dsv+G/910fyVPiDrNEt1
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
Blocklisted process makes network request
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
Overkeenly.Aut
-
Size
55KB
-
MD5
e1aaf4db5b49f5077aa39b8e8ca91243
-
SHA1
f1d68c2d223d1112f80b798a131da9e91c826bce
-
SHA256
76a1f9a4593917cdb08c30b9a444a43a7100fb1332aab4d7a4e335819eeeae55
-
SHA512
80d95f4062e06d0706c070b1071d9ba8ca3fa824532dbd3978cd95405502d48cf81dd2e5c6c329a90ebe8793e2065f22cb5502c510076ca626f6e92f0ba8608a
-
SSDEEP
1536:EBuR7slSxKxB6bwQZdh+1vnpTWOogw5C2YwBLNHh:EBuRoiKx0bvdsllCDBL/
Score8/10-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-