General
-
Target
Nakliyebelgeleri.exe
-
Size
1.1MB
-
Sample
241206-h8h9vaskgp
-
MD5
620924d9a2e90d34b060c7e210785926
-
SHA1
736ce2fe105049ed45e90e5bd9d83086a6006c32
-
SHA256
014f4753734a62111955ca64721aa64a4b6d98b36e5a3bd9a4da5afc128b2f17
-
SHA512
d9b73f6d65eb4aabf05e96e06c864a68d921c627eca178cba573a46a1818f00d6934ce794eb1bcedccc2fbaef83ae2270eb9583217705293860450ef25a41912
-
SSDEEP
12288:pl/4qNMmw1GYDmImQgThNj/yMf5ck8WMvwvKIcrIPdEBEo7vPmXaNgI+pMeVOqIt:rM05NjKiclwSIU04Eb1MncwaF0C9Wn
Static task
static1
Behavioral task
behavioral1
Sample
Nakliyebelgeleri.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Nakliyebelgeleri.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
hypohydrochloria.app
Resource
macos-20241106-en
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.concaribe.com - Port:
21 - Username:
[email protected] - Password:
ro}UWgz#!38E
Extracted
Protocol: ftp- Host:
ftp.concaribe.com - Port:
21 - Username:
[email protected] - Password:
ro}UWgz#!38E
Targets
-
-
Target
Nakliyebelgeleri.exe
-
Size
1.1MB
-
MD5
620924d9a2e90d34b060c7e210785926
-
SHA1
736ce2fe105049ed45e90e5bd9d83086a6006c32
-
SHA256
014f4753734a62111955ca64721aa64a4b6d98b36e5a3bd9a4da5afc128b2f17
-
SHA512
d9b73f6d65eb4aabf05e96e06c864a68d921c627eca178cba573a46a1818f00d6934ce794eb1bcedccc2fbaef83ae2270eb9583217705293860450ef25a41912
-
SSDEEP
12288:pl/4qNMmw1GYDmImQgThNj/yMf5ck8WMvwvKIcrIPdEBEo7vPmXaNgI+pMeVOqIt:rM05NjKiclwSIU04Eb1MncwaF0C9Wn
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
Guloader family
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
$PLUGINSDIR/System.dll
-
Size
11KB
-
MD5
fc90dfb694d0e17b013d6f818bce41b0
-
SHA1
3243969886d640af3bfa442728b9f0dff9d5f5b0
-
SHA256
7fe77ca13121a113c59630a3dba0c8aaa6372e8082393274da8f8608c4ce4528
-
SHA512
324f13aa7a33c6408e2a57c3484d1691ecee7c3c1366de2bb8978c8dc66b18425d8cab5a32d1702c13c43703e36148a022263de7166afdce141da2b01169f1c6
-
SSDEEP
192:e/b2HS5ih/7i00eWz9T7PH6yeFcQMI5+Vw+EXWZ77dslFZk:ewSUmWw9T7MmnI5+/F7Kdk
Score3/10 -
-
-
Target
hypohydrochloria.app
-
Size
487KB
-
MD5
271b95b44bbafaf5d68ae0d972e1163a
-
SHA1
6816bd06b9b638de8e6517dfe7647ce409f2f4c8
-
SHA256
60412767f4eaea33f06a6a02f3b0975015e75f251ba6cbeee96ac712d0b23f9b
-
SHA512
cb7a65001cc0dbb63cddcd89166b575bd2612f75100ca47ff8a8162825a5c91a5c2b60b83447f33a7aad1c0f1a7eee4c5f340e5d66141ee59309b59ca461d992
-
SSDEEP
1536:vGAVO3tWkduBR8240f+rzESOotNlufM+A/:nYQSA6AMIk+A/
Score1/10 -
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1