General
-
Target
5c64d7a281b50ec505681d898396dafc981db5aa119be5527efaa09b824febf9
-
Size
2.3MB
-
Sample
241121-y9vbhaxkdw
-
MD5
4219491f809cf87b582dbb4d62929a18
-
SHA1
dddffa33210ad6a27a1d7a6bcbf1599cb127355a
-
SHA256
5c64d7a281b50ec505681d898396dafc981db5aa119be5527efaa09b824febf9
-
SHA512
f53d324ebc685c70abab00503832016a84d0b1dbfe1fe112e8786c76039df4e7e851f0d64dd01ce9b1e8b383462be6d3bb85f18f01c3644c0003a577e4e978a7
-
SSDEEP
49152:7spzJbfMiH9pInZVTtZUW2mAqqbwOHOKy68sHIMDUe07rBWyfeqEcbf:7sXeZht7rwwrR68sdDAXvfeqZf
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
webmail.probuildqatar.com - Port:
587 - Username:
[email protected] - Password:
sionyl@123456!
Extracted
xloader
2.3
i9me
claimbrosprospecting.com
visionnaire.design
russmatsuo.com
phpower.com
themaitregroup.net
perderson.space
signaturewallcoverings.com
mesharifoundation.com
mastjio.com
ngstarshub.com
teamsdialpad.com
handysyed.com
basalgoods.company
miniletics.com
reidasmaquinasdolitoral.com
signsgadsden.com
huigukeji.net
yesonmeasurez.com
rwingbistro.com
xn--90aoahqe0a0f.xn--p1acf
Extracted
xloader
2.3
sjgd
hjtzzg.com
arabiaprogram.com
hana-pet.com
jointreleif911.com
superuglycakes.com
f5gcpxgfs3rkf.net
bentengproperti.com
josiewalter.com
nallove.com
contorig2.com
kruberm.com
wcieckashmir.com
syggao.com
rollinproduction.com
furiael.online
harasalcancu.com
cesarscott.com
high5promotions.com
bemagicnottragic.com
orangeapron.net
Targets
-
-
Target
ComparisonComparer.exe
-
Size
1.1MB
-
MD5
1b4adf62e0c46012449fd801df584dc0
-
SHA1
c1b571f954904cfb936b518794f55d6dea2976c8
-
SHA256
6fec8cc4ed0ac509f62cbffd2fb41a184c607196cf874ad101f265acd058f7ce
-
SHA512
5f57641db51aaecb11063209e86bb74c56daddcfb2619d9d11fa2020b09c15d93afe0fee474b501e70c6d6c8c746426f187e66e06efb95370850ae8c3c3950f1
-
SSDEEP
24576:WY9pKiJbaiJbxiJbYodlR1fpg6TMfC5iSdBbIbigb7:WspKiJWiJNiJsM5fK6T+udBbIbig
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
AgentTesla payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
po.exe
-
Size
968KB
-
MD5
7c8206e11a3f0a3832c65ee22ca21819
-
SHA1
fb255b2ee75cc76180daddb78c7cf912eb248f06
-
SHA256
f8cdb91e57d80dd935b4490720b39d75db0443fac602c9d4cdab434aa82a6a43
-
SHA512
b230d0ebeddb1641a2f63286b8d90d7f7d83b03f5cec4d7433e8463dc22796c9bf657bb487ab7f57221173cd42721b27289dc2e7f8f9817fcd3f6a6968c5bca2
-
SSDEEP
24576:AyCb02+HEYq7j15AD9UvCVPA/012j1DkdZ:px3HZqdcUS2Jkd
Score10/10-
Xloader
Xloader is a rebranded version of Formbook malware.
-
Xloader family
-
Xloader payload
-
Suspicious use of SetThreadContext
-
-
-
Target
poo.exe
-
Size
974KB
-
MD5
a7a7e5941f4485610a7f41704f00e421
-
SHA1
e47fea20cc78309942ff1c977b31e0a0d978a487
-
SHA256
edcb88871a091cde75e0e6aca09a4ff4781d3855e0a96112544366309bf2cc79
-
SHA512
2722ead790d09addf580db38b768b64831d5c2a19a3fd0d245315f132b227479a12785115118e4d2b36dfd184729634c667238a53157877e069d093ea0155687
-
SSDEEP
24576:yJLg4ZL5lnb78HeIpHNxLa+Hq6oDuGpOJhd7middX:g8mrMHeIpX++KFiGkrd7midd
Score10/10-
Xloader
Xloader is a rebranded version of Formbook malware.
-
Xloader family
-
Xloader payload
-
Deletes itself
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1