General
-
Target
autoit_set.zip
-
Size
204.8MB
-
Sample
250103-h8l1qstpev
-
MD5
18b2a2d7a2893ca640cab388a362449a
-
SHA1
b11a3a954b371d9bb877474c55d6cf77c925be35
-
SHA256
ff0a60c487c841636d024e647d266c229c96c7334d085c47d535754fc390b412
-
SHA512
f6a55bafe20033dd4b5d4c1a303987f9827f9dc422bf71b41d4830dc7c246373b8ff975e5c3918a9db33d2852b83d0385d4c825fc15b881732022a06c3d05195
-
SSDEEP
3145728:/hdcdCx/l9Ny+gi5nQt71DW7XvKb8+G3DmVmzLAgKZU4pwrGa:pK4JnNMi5I167Xl+WDmIwgKZUM2
Malware Config
Extracted
vipkeylogger
Protocol: smtp- Host:
mail.tradolgt.com - Port:
587 - Username:
[email protected] - Password:
445566nniI - Email To:
[email protected]
https://api.telegram.org/bot6392998330:AAEoU34KkrBXWdYsC0HHJhwWS-tXdCQBgic/sendMessage?chat_id=6386262734
Extracted
Protocol: smtp- Host:
mail.tradolgt.com - Port:
587 - Username:
[email protected] - Password:
445566nniI
Extracted
agenttesla
Protocol: smtp- Host:
mail.palumalimited.com - Port:
587 - Username:
[email protected] - Password:
85h!UAfvL2AE - Email To:
[email protected]
Extracted
Protocol: smtp- Host:
mail.watertechengineers.com - Port:
587 - Username:
[email protected] - Password:
Techno@1234
Targets
-
-
Target
3666991ba9b1b0ab338f41c37c0bfe3a8ae0fbfbde9820679a76362a610a0b23
-
Size
740KB
-
MD5
8379ff838164b21dbd287611dae13ecb
-
SHA1
d19e11692605f70504de8ab04a992627985facea
-
SHA256
3666991ba9b1b0ab338f41c37c0bfe3a8ae0fbfbde9820679a76362a610a0b23
-
SHA512
a4a2db5afd04a7f657520d2b84f19627a3381db5996803283868020dab1f89b56b3367585b10b2762ef57d8581fff0c36b989d5e00a63e7282813ee04d0e2b77
-
SSDEEP
12288:osHzOUNUSB/o5LsI1uwajJ5yvv1l2/BXyZPlcd2zhRKzdWTWTKgYzajbRtML7RQH:7iUmSB/o5d1ubcvKC5lcd2WUg3RquUjs
Score7/10-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
-
-
Target
375aead10728ec8de6d9f6e13a1bdb21563385fca54f367370057144f219488a
-
Size
1.9MB
-
MD5
f8bc80e73c76d7a23228440ad8208980
-
SHA1
01bfca9e19f50d47c080b971c0264531697fdea9
-
SHA256
375aead10728ec8de6d9f6e13a1bdb21563385fca54f367370057144f219488a
-
SHA512
6253d13dbac1a1b5742f168b1331e2a46c94606feb0f3508f036bd5d5db272bd7821e33aef739bb67506e2680cfe613bbf6a16c4fe340c64e76957c614d16dca
-
SSDEEP
49152:ah+okldoPK1Xax/jnZmrRsWgFIDRRAubt5M:zlcPK1U/tYIUf
Score7/10-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
-
-
Target
3a55a5e05993d9369c5c407f00e05e235b39c45aba71fa25c6618827e767fa66
-
Size
706KB
-
MD5
7525ab848775a801b83b312c794d9167
-
SHA1
6371d301a9e1f1ed8aaf5dfedbd78b5ab9d9f875
-
SHA256
3a55a5e05993d9369c5c407f00e05e235b39c45aba71fa25c6618827e767fa66
-
SHA512
4c474383f38e942fce5853988cc00f0f0b444bf955fc6b7e06512706c52859d6d0eb9bd4fdeb1f5bb089cb92c3f7569d575d443270dfa7c5b84acb1fdbf85dba
-
SSDEEP
12288:oOv5jKhsfoPA+yeVKUCUxP4C902bdRtJJPiFRO0/8qrxlG+wvMxMi05:oq5TfcdHj4fmbmXxlGpkxMN5
Score5/10-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
-
-
Target
3a5c36086501b5a824f31f57103d9b137636f8e0b4f2d60291359b18d574060a
-
Size
1.0MB
-
MD5
fa5cc4be5a1032adb6f5601578930549
-
SHA1
12319dc70bfc33cc227a4b65d671d3fd7dda0082
-
SHA256
3a5c36086501b5a824f31f57103d9b137636f8e0b4f2d60291359b18d574060a
-
SHA512
cbf9aaf25f584d44407004abdec94fb4c96587062c5b8afb41c7fbe10907d1e71fb0a2fe676016bb7e8ef2ed4f73e29abc3a7059472fb1f613d40fcaffffb795
-
SSDEEP
24576:qD0tM85tbNJjldeYiYHk4+YjlsvJ3LvgIyA5L/ic38aehcOc7ZccU7y65/d3:qD0tM85DJjl/iWWvJ3LvgK5LiG8RqV7I
Score5/10-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
-
-
Target
3a8196dc93da2c2e2a9515cbc5ff7e47d679e04ce51957551ebabc6496cc3103
-
Size
1.2MB
-
MD5
8fc0d31734978c221b06ed494b0388f4
-
SHA1
57d126275f4cb5a3599714e73a750c3c0ee43549
-
SHA256
3a8196dc93da2c2e2a9515cbc5ff7e47d679e04ce51957551ebabc6496cc3103
-
SHA512
57ee23e8064489bb418f7770fce701165b40adb64bd6f12d60068cecfc7088a9815d8a0d1afe6daa70ae4d862a19617b4ccb47d29f1f145b0cae033c116a918f
-
SSDEEP
24576:dtb20pkaCqT5TBWgNQ7aFFq96FClWSYSBIef5Yt0i+6A:OVg5tQ7aFE64/YSBPBCE5
Score5/10-
Suspicious use of SetThreadContext
-
-
-
Target
3b2e4fc5bb057a461d0688b737c7e6f69d41563f732fec265564331036efdf0c
-
Size
1.2MB
-
MD5
c642604cc1e58705cc0c314894f0f42d
-
SHA1
c0c85ef296e43b20e58a0a0d2509dde938c6556b
-
SHA256
3b2e4fc5bb057a461d0688b737c7e6f69d41563f732fec265564331036efdf0c
-
SHA512
d526829a87814418399d5a6ca1a1537a8f46abd9bf0a578ad18818f90e4cbadc9ffda949f80495355a0c59f28282cc103ac24ec15e66ea1bf4e0ef7555234f2b
-
SSDEEP
24576:ztb20pkaCqT5TBWgNQ7a5RzaBhvbLFnW2LxEK6A:wVg5tQ7a5YbLtjLh5
Score5/10-
Suspicious use of SetThreadContext
-
-
-
Target
3c81cd20323c282181d40fa0e8ab7b66dfd46edd7bafc3d6abeb072420b314fe
-
Size
1.0MB
-
MD5
3e473d16c81dd66fee6f02537b601626
-
SHA1
82f7667f0d8aecc63ce5fb9d86ec3d651223676d
-
SHA256
3c81cd20323c282181d40fa0e8ab7b66dfd46edd7bafc3d6abeb072420b314fe
-
SHA512
7f3ff26741dd497f8c2f8fb9a63de6c16140203446d35b277be71031070c882c97171448f8b15346f04868b5630d5ff99af101cc3b1f66345b053acd386fcc28
-
SSDEEP
24576:FAHnh+eWsN3skA4RV1Hom2KXMmHapvZqN9y7gYaM5:0h+ZkldoPK8YapvZO9y7Vt
Score10/10-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
3d134d49001a39cd3a83cc3983943d567b1393415ddfaf88c2accac2f3756124
-
Size
1.0MB
-
MD5
26b80fbeb1946a4fb199731c1359ef69
-
SHA1
4afc002c365e827a27b02a6713e2213678a5d0f4
-
SHA256
3d134d49001a39cd3a83cc3983943d567b1393415ddfaf88c2accac2f3756124
-
SHA512
64ce159c4b8e7803205c060585ff97a4c7cc3965b9221f36b292c379b5caf9a44d7f9ba0b6aab50324072793999adf865607001a9e25010bd56b4b4ac22b0b76
-
SSDEEP
24576:AAHnh+eWsN3skA4RV1Hom2KXMmHaccMQF4mS85:3h+ZkldoPK8Yacm4mR
Score10/10-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Suspicious use of SetThreadContext
-
-
-
Target
3fe4c784dfb841053360622561788dacfc8e4b81567bc461e4cd33e61d2d1e64
-
Size
712KB
-
MD5
c798a0526218a02b39a5789aac0f8802
-
SHA1
d23e9b5eb48d192a8494b225472478d820e7083d
-
SHA256
3fe4c784dfb841053360622561788dacfc8e4b81567bc461e4cd33e61d2d1e64
-
SHA512
beae93075c02917b483523e240727b91c640e4e23291b61cd11d1cb283762ab90784f09a53a1e842facba064f7ef60cf9eeb01085f8156e6963169c747805d52
-
SSDEEP
12288:sYV6MorX7qzuC3QHO9FQVHPF51jgc6B+gwiK3fw3uZhWOkVdRcTkXfmCspC1YHdm:LBXu9HGaVHaJK3I3uZoHuTofJr1Y/YGW
Score5/10-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
-
-
Target
40f9a446728e079ce7f1b7b8cd6a6f2ff82e4fb22d209ae9576f178612d35369
-
Size
811KB
-
MD5
a66520a932198c68fc0df0423e2c046b
-
SHA1
d49acc9ad7e386a48d83d0bd334294b4168e21fb
-
SHA256
40f9a446728e079ce7f1b7b8cd6a6f2ff82e4fb22d209ae9576f178612d35369
-
SHA512
543ae2fa9923a599d55f0ec74f4eb2dd724209e83a5cb285fe19d40655ed8901c810013c6ba593cf55a7626cc120fdf5815a1eaa9e61ec071b2190f0b4f55f32
-
SSDEEP
24576:qD0tM85tbNJjldeYiYHkOtw0BH2Hmpp68BMQaV6/778:qD0tM85DJjl/iW1tpBFpp6Ha78
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
-
-
Target
417d576bf16dfd44e888bfd508cd4fc7c4a985ef9916b221b06dbb3bff3186b0
-
Size
1.1MB
-
MD5
6064af0fb1184367e836c63d1c3c5a42
-
SHA1
dc0b48090c7847c9a4ad622df20f0bfa8b3f951e
-
SHA256
417d576bf16dfd44e888bfd508cd4fc7c4a985ef9916b221b06dbb3bff3186b0
-
SHA512
9989e6862e570e3ea7bc541c925fbf96282fb0eb94a25995ffc44c82b21ffcd0bd822f6f79593f57b890c7c75a7c52bbd13c6d484b33dec5b4a182db7d695511
-
SSDEEP
24576:oAHnh+eWsN3skA4RV1Hom2KXMmHapV5f8YRmYcsXu8dLn5:vh+ZkldoPK8YapV5ySXnL
Score5/10-
Suspicious use of SetThreadContext
-
-
-
Target
41ac704c7b71aa0419cb1344ba49806667f9f72ce0e4750f8353279a3f2e33ad
-
Size
740KB
-
MD5
1ff326b327dfb16c932fe4d904f4ccf7
-
SHA1
a3b7a53df4e9c4125ab6c03c8d1e50204cf0ff9f
-
SHA256
41ac704c7b71aa0419cb1344ba49806667f9f72ce0e4750f8353279a3f2e33ad
-
SHA512
b717f440a35e4687fbc7b3024d7de8c1f6eb55ad026a798b076572f267d49585d3cbdb572678f64e4512f5f2672813c493d01f78621c9bb57b72ce27db165713
-
SSDEEP
12288:5sHzOUNUSB/o5LsI1uwajJ5yvv1l27rzUEX5ENgcGCXfkUg9vfopCHm3If3/8xLE:giUmSB/o5d1ubcvMX5UgcXyfop0v8xLE
Score7/10-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
-
-
Target
42a09e735691f947b7cc6d8f9a9cebbf9e87ac1fc2cbd0a4f0aa2b1b9eb4262c
-
Size
1.1MB
-
MD5
af543f56f1a0b6d5ee124d57a2ecde49
-
SHA1
1d500618b4bff325779ae55036fd98ce45512451
-
SHA256
42a09e735691f947b7cc6d8f9a9cebbf9e87ac1fc2cbd0a4f0aa2b1b9eb4262c
-
SHA512
0e8361c3692543a39044b01a1aa00238f765a4ca0eee336674fce7489f36e1cf59607541bbe82de1e848b76f57cd88d78176e53039981ab2caf08884b91a6f4c
-
SSDEEP
24576:bAHnh+eWsN3skA4RV1Hom2KXMmHaQnoDWRioEwfnYptP5:2h+ZkldoPK8YaQoDWRVQ
Score10/10-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
44b1b50b000cd1ae114f7dfbded83d88962b647c0b2c71a6be0222a9bea51a7f
-
Size
766KB
-
MD5
187b48ce81a690f2db84c8fcaff8170a
-
SHA1
d3f7f27cd5fad9396ccfe71270b3cb0ad440cdff
-
SHA256
44b1b50b000cd1ae114f7dfbded83d88962b647c0b2c71a6be0222a9bea51a7f
-
SHA512
8cc46d488e3b6e1631fde6795b8184953d79ead140eb067c85fe14b07f822eda6d08f3ae57af3102fb1776a9d9068d1f7846552e4f85fd93ffd5ea789968d27a
-
SSDEEP
12288:LOv5jKhsfoPA+yeVKUCUxP4C902bdRtJJPikiEAmDOvFR/qOK9U4E6bWbGO3SA4P:Lq5TfcdHj4fmbTinR/ZK9rEXeJ913
Score5/10-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
-
-
Target
450fcf9d115867ad23b3436808e43bcf3a3f77325124ca1835851644fd486a04
-
Size
1.5MB
-
MD5
0c044c6e772f7b1bea96ffb47398a558
-
SHA1
8fa01a99e3e533066e1bd5dad29616b1844e8de8
-
SHA256
450fcf9d115867ad23b3436808e43bcf3a3f77325124ca1835851644fd486a04
-
SHA512
b286cede4d05d4026bf72872fe24b428028721a7421270299de4eeab8e7fd8d3041ac2a7eb889d7ce6b043c8aaff2d94f1b7d51864e21d71be90e2a115eca614
-
SSDEEP
24576:9qDEvCTbMWu7rQYlBQcBiT6rprG8aT3kFIKdZQMi66HAdwKT:9TvC/MTQYxsWR7aTUGoPD6zK
Score5/10-
Suspicious use of SetThreadContext
-
-
-
Target
46836f3afb222bd150f0fe58f9d0019fd341544b2101a2e44c52bbd02a2dacd5
-
Size
1.1MB
-
MD5
8560a2b96b2e376fbd8b0e2d50c49581
-
SHA1
18b386af23b09e465d13464dc38ebf63f30d6968
-
SHA256
46836f3afb222bd150f0fe58f9d0019fd341544b2101a2e44c52bbd02a2dacd5
-
SHA512
dec5d2db3b3bfa5bdf9f3b7084a2bd12418cd7142a898944dd07af8cf4bb85bd12c12f43dc50469684ddde5f3f1074f2a9892f14e141f63e7f80d76ca7bec79d
-
SSDEEP
24576:jtb20pkaCqT5TBWgNQ7a03rn0IrWxeYHtT3yNOY6A:gVg5tQ7a03wNFNQX5
Score6/10-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2