Overview

overview

10

Static

static

10

malware/EinTT.exe

windows7-x64

10

malware/EinTT.exe

windows10-2004-x64

10

malware/fox.exe

windows7-x64

3

malware/fox.exe

windows10-2004-x64

3

malware/guJPO.exe

windows7-x64

10

malware/guJPO.exe

windows10-2004-x64

10

malware/loader1.exe

windows7-x64

10

malware/loader1.exe

windows10-2004-x64

7

dnjdbaa.exe

windows7-x64

3

dnjdbaa.exe

windows10-2004-x64

3

malware/regasm.exe

windows7-x64

10

malware/regasm.exe

windows10-2004-x64

10

malware/vbc.exe

windows7-x64

10

malware/vbc.exe

windows10-2004-x64

7

rywcikv.exe

windows7-x64

3

rywcikv.exe

windows10-2004-x64

3

malware/vbc1.exe

windows7-x64

10

malware/vbc1.exe

windows10-2004-x64

7

eblupydfzx.exe

windows7-x64

3

eblupydfzx.exe

windows10-2004-x64

3

malware/vbc2.exe

windows7-x64

10

malware/vbc2.exe

windows10-2004-x64

7

ioatgumevw.exe

windows7-x64

3

ioatgumevw.exe

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    9404c7a99bcdde02f50e378d1dffad170426af7c1c5c545b2f6fd57de48ffad5

  • Size

    1.8MB

  • Sample

    241121-za9gtaxkhw

  • MD5

    8fae35da9fc7bd3729bc7a3e361bddda

  • SHA1

    1198db2a80225df6aa0bde198c10673695f5b2c5

  • SHA256

    9404c7a99bcdde02f50e378d1dffad170426af7c1c5c545b2f6fd57de48ffad5

  • SHA512

    9c55baf896cab02a0e604aa1e23e1afac8b0700b3d6cfd6a72528b13e81f76088416521f37e05cbbebd9bb716a928747ae3b3053655f4baa68ee697fd36d8927

  • SSDEEP

    49152:xfW7yuwnU3kTKsa0SHJlOcDXC0Ury02BmpsDHY0o7v5k:geuaN8ny8C/yepsbUu

Score
10/10
agentteslalokibotxloaderahc8collectioncredential_accessdefense_evasiondiscoveryexecutionkeyloggerloaderratspywarestealertrojan

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ahc8

Decoy

192451.com

wwwripostes.net

sirikhalsalaw.com

bitterbaybay.com

stella-scrubs.com

almanecermezcal.com

goodgood.online

translate-now.online

sincerefilm.com

quadrantforensics.com

johnfrenchart.com

plick-click.com

alnileen.com

tghi.xyz

172711.com

maymakita.com

punnyaseva.com

ukash-online.com

sho-yururi-blog.com

hebergement-solidaire.com

Extracted

Family

agenttesla

Credentials

Extracted

Family

lokibot

C2

http://mail.outlook-webpage-auth.ml/joe/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

http://chrisupdated.xyz/ttboi/five/fre.php

http://62.197.136.176/userbob/five/fre.php

http://iowipalbv6atsy.tk/Concord/fre.php

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.mushko-ps.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Uma335@Mps

Targets

    • Target

      malware/EinTT.exe

    • Size

      583KB

    • MD5

      a4741e30b7b12d7b7ff728527bf7023e

    • SHA1

      d8429912433ca80b1fde886c1e91af51abab5efe

    • SHA256

      693b96514d1d57ee01269e74390bef130a9980cd91f8487cac6f3a89c4f18b25

    • SHA512

      7532983d8d1ac79bfc1384320461ee807dbfd5399c82a01c2f86746adb50e614ab5ca85a466a512f9a9af0bab7cffabd98a2d37e5023815c2e3bfa962d360342

    • SSDEEP

      6144:dO99nEZS3bUmSoiDnQtUcs99EwG4EJJjtnqN1+Wwv/UxTRJQF8gswo7r:wDEZfmwcAywwFxv/ifgf3E

    Score
    10/10
    agentteslacollectioncredential_accessdefense_evasiondiscoverykeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Agenttesla family

      agenttesla

    • System Binary Proxy Execution: InstallUtil

      Abuse InstallUtil to proxy execution of malicious code.

      defense_evasion

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      malware/fox.exe

    • Size

      21KB

    • MD5

      dce19521a9244e07348ad6d9594d0e82

    • SHA1

      0afa324ff68a5e398c1c7d2b1c86ad2c8cc1c9aa

    • SHA256

      3b14b04160d49bdd074d3d571992ed5333b8292a3c0f8f58988c606bd91408f9

    • SHA512

      49892e61920f4baf2d3228ab5b985c4252411cb40bca68d3fa069148cf474c1a3160f043c3b2b532634e361350be9f39bd89a9e92361c962dc65cab5b939a496

    • SSDEEP

      384:7fGDq/aQWkYFX7MEC6UVfvLGZkvLYt5Pw:jGO/0kV6QfievLYt5Y

    Score
    3/10
    discovery
    behavioral3behavioral4

    • Target

      malware/guJPO.exe

    • Size

      164KB

    • MD5

      a73bd7a7d57c7132fab130836c4e1bf3

    • SHA1

      be5a57900b99030c1edda051f47ac7b71d5a4402

    • SHA256

      4ef90b24b4674cd6914181ff64e47d9a31069412cb41ffb60dfcf1c0f491dd74

    • SHA512

      6470654f2dcf22bcbf38d293f08545de4660ea2f66dc180523c5b2ebf1e664b2f93756b62f665c3d30f923eb0efcc4f5025bb7f27bd2d4420fda3128238ba20a

    • SSDEEP

      3072:fYdJcDSGFUXHZXG/+wsaE8HV6mIJpLTw5h87lhYHkwA3ZtaYvIN:fYMYpW/zJZHEm2pLUh87lPX7aq

    Score
    10/10
    xloaderahc8discoveryloaderrat

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader family

      xloader

    • Xloader payload

      rat

    • Deletes itself

    • Suspicious use of SetThreadContext

    behavioral5behavioral6

    • Target

      malware/loader1.exe

    • Size

      233KB

    • MD5

      b347d8b2e90e11981f6895be59b5f30c

    • SHA1

      fecff17fe981b71deaa00b7522833f2a9c3ffee7

    • SHA256

      10ccac80baa31a7a96f2b73fe158db6b699f27f9b89af9692a0ccc152802fb12

    • SHA512

      c812ea37eccc072a73ff4e1c81eb29b1b5ca2eda5a02c1fae2955cee49d0b770bfa7437e9f67ea15f39838d75c546da6a8359a616f537dd7ab785d0fbfcc617c

    • SSDEEP

      6144:HNeZmtzTH8yzLyIjNv3Sy+BsSuLagm4ZPvX/yMB6Z:HNltzTH8ULLjU1spaIPvLW

    Score
    10/10
    lokibotcollectiondiscoveryspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Lokibot family

      lokibot

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral7behavioral8

    • Target

      dnjdbaa.exe

    • Size

      3KB

    • MD5

      b17e11409b97808d802c27523541dcab

    • SHA1

      0c880010d7d33b0f60ba731245d0b016387c8621

    • SHA256

      47e37b53746d8769b8c78851a402fa40698c3fb7437c6f922df1de9053e4d366

    • SHA512

      ccc80355178322133ef878d42663eb583916598264b9f7039719ddac54fdccd1d7007d3414d35170de5ad61d4b4ecdd6cd8b26f48fc447e200a4e650c5c7504f

    Score
    3/10
    discovery
    behavioral10behavioral9

    • Target

      malware/regasm.exe

    • Size

      401KB

    • MD5

      29b6f7f3043b17847283b694e6eecffc

    • SHA1

      2dc63f5052eb2dbfd6c0c9192b92e1f53b32ccd8

    • SHA256

      7500469c4541e998741549c72877eeda8d52ef698155cc5042eff21ed2bf8581

    • SHA512

      be4b02c6f0b0fcf1155b3970557ab618dc4da26b77bacb75422da110d89458d89e927301b3f49a179466dcbea186435b8ad94bcc03b8c77fcd8158f4a9147684

    • SSDEEP

      12288:Dp6Hg67Dy5dVoUSrcLM0bK5FMtm7+RslS:gRiHi3cwvnWQ+6l

    Score
    10/10
    lokibotcollectiondiscoveryexecutionspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Lokibot family

      lokibot

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral11behavioral12

    • Target

      malware/vbc.exe

    • Size

      231KB

    • MD5

      72b2e84c1aec86b5c955ff098d7fd8b7

    • SHA1

      20f9c563206eff907cfad0723988de58872bc93e

    • SHA256

      1b26f49cdc29c81ea4d8f5571349e835662bca7881608dce0d13e86798dd9ac4

    • SHA512

      e5d062f0b105332ffa06f3e13c5ecc0dd66fc58bb631f31bd85b4a60f138ff2e127550eec6dbd47cb644ea2def1aa1fcb473a4db2c36752946798998e2adadaa

    • SSDEEP

      6144:HNeZmGsX4gDALdTQQNUofXRkvlNEH/T2UfL:HNlGsXP0+QNUoINeq6

    Score
    10/10
    lokibotcollectiondiscoveryspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Lokibot family

      lokibot

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral13behavioral14

    • Target

      rywcikv.exe

    • Size

      4KB

    • MD5

      1c8099bf75f0b18987ddfdde63e52d60

    • SHA1

      d613404fd561ed3bcb44d1d9e949dc08bb7950ca

    • SHA256

      d16719d16c1da558db23766d79a44613e3ca6519d2fc81a167b62d8e39ede0e3

    • SHA512

      7bd7df1775ad0cf9d6be44019104ddde47180da262aabb1c900aa36727c73343c9f33a0e72f5bd119dba4f9937117faac47d0d2dddf1876da1ffb0f4136623c9

    Score
    3/10
    discovery
    behavioral15behavioral16

    • Target

      malware/vbc1.exe

    • Size

      233KB

    • MD5

      9a438bc1d2e08161d0fade11ff6c39bf

    • SHA1

      9522e356bba95728046ced9c7071b58cdb5a6d76

    • SHA256

      b77f6786b940f40b4eebd492b925ad174b28b50fbf9ead3a1b1000189b530704

    • SHA512

      2ecffdcb152f302ea16bbfdd57182ccac40361a2c2345cf41d0863685807ebdeaf9f8c43ce43816289d45352dbafade5c8ba820795c0c8c7cf8e016bcf8ade9d

    • SSDEEP

      3072:l1NjcVVnLpPunb5AWOGVQurbu9wVL16oqjoKDqsuoSS4wNPiZeEHO3My6H+sUPln:HNeZm5A9GSgVL1jq7U7wpjtp6Hfq//Fp

    Score
    10/10
    lokibotcollectiondiscoveryspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Lokibot family

      lokibot

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral17behavioral18

    • Target

      eblupydfzx.exe

    • Size

      4KB

    • MD5

      ca2bb1242c27b83ee0002fe931c4d5e0

    • SHA1

      a2da8943712e92171229fa0316398150594d2b40

    • SHA256

      189623f765bde100bf74824aca0038ecd2fea8ec2994c5e097ac657bfa1c5daf

    • SHA512

      73b166c1ff8d2c5b0c8ed28861b250e2e1689a6def66f990927d78d9053a1d9d51ca96959f75f9e43d2c1d9434d26931da967964f602d9e141ac816e5e3ffaa8

    Score
    3/10
    discovery
    behavioral19behavioral20

    • Target

      malware/vbc2.exe

    • Size

      265KB

    • MD5

      aad8885345c5d145c8cb22292332fb38

    • SHA1

      b7c01db77c5cd491bee82e125d4783175a1f73b7

    • SHA256

      0007c9f7203e80c87042d5b4ae3208bf3adf66657c65e02ef6136c5b18ee3bcb

    • SHA512

      70bd8402767b7c7ca1fce5f737e5fff44dda0ebf5a81f1465589dfe5179bc17d82009f771157d2003bf22f7d5582f90330f1159d9d464c90dceeff503e568f09

    • SSDEEP

      6144:HNeZmORhwi08GOs8RuAR3F7saaLIcscJY6pYQsFle2ujpLiFAD:HNlchakNRJKTsN6pYbFlgt7D

    Score
    10/10
    agenttesladiscoverykeyloggerspywarestealertrojan
    behavioral21behavioral22

    • Target

      ioatgumevw.exe

    • Size

      4KB

    • MD5

      f88371b8ec4dc631943fe54a227707dc

    • SHA1

      a127b7a645f9468105a31109a3572960004a7316

    • SHA256

      6ea31176202a06bbfd787b91c64c8ac55cd8e2c817e37d556576133334a3614b

    • SHA512

      b4d04bf47e643845e97da626f62dcd5ac3611508300769bb2840fbde88ecbc2229cadd0ef3b2b50ab36042e9e31c71211e4d335871f15840ec5aa3bd5244c1ef

    Score
    3/10
    discovery
    behavioral23behavioral24

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

3
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

System Binary Proxy Execution

1
T1218

InstallUtil

1
T1218.004

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

5
T1552

Credentials In Files

4
T1552.001

Credentials in Registry

1
T1552.002

Discovery

Query Registry

1
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

4
T1005

Email Collection

1
T1114

Command and Control

Exfiltration

Impact

Tasks

static1

ratahc8xloader
Score
10/10

behavioral1

agentteslacollectioncredential_accessdefense_evasiondiscoverykeyloggerspywarestealertrojan
Score
10/10

behavioral2

agentteslacollectioncredential_accessdefense_evasiondiscoverykeyloggerspywarestealertrojan
Score
10/10

behavioral3

discovery
Score
3/10

behavioral4

discovery
Score
3/10

behavioral5

xloaderahc8discoveryloaderrat
Score
10/10

behavioral6

xloaderahc8discoveryloaderrat
Score
10/10

behavioral7

lokibotcollectiondiscoveryspywarestealertrojan
Score
10/10

behavioral8

discovery
Score
7/10

behavioral9

discovery
Score
3/10

behavioral10

discovery
Score
3/10

behavioral11

lokibotcollectiondiscoveryexecutionspywarestealertrojan
Score
10/10

behavioral12

lokibotcollectiondiscoveryexecutionspywarestealertrojan
Score
10/10

behavioral13

lokibotcollectiondiscoveryspywarestealertrojan
Score
10/10

behavioral14

discovery
Score
7/10

behavioral15

discovery
Score
3/10

behavioral16

discovery
Score
3/10

behavioral17

lokibotcollectiondiscoveryspywarestealertrojan
Score
10/10

behavioral18

discovery
Score
7/10

behavioral19

discovery
Score
3/10

behavioral20

discovery
Score
3/10

behavioral21

agenttesladiscoverykeyloggerspywarestealertrojan
Score
10/10

behavioral22

discovery
Score
7/10

behavioral23

discovery
Score
3/10

behavioral24

discovery
Score
3/10