Overview

overview

10

Static

static

5

INQ_NB6477...63.exe

windows7-x64

10

INQ_NB6477...63.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    028b15aba247bb4e5c2e54f9a6f7bbe2f25edf24f56286bea98bc2309a948b6d

  • Size

    823KB

  • Sample

    250329-ndpe9stmw6

  • MD5

    f28966f016ad5d2c745a773d11759dcc

  • SHA1

    c7c08326715e05852264fd36c329adc1a48bb689

  • SHA256

    028b15aba247bb4e5c2e54f9a6f7bbe2f25edf24f56286bea98bc2309a948b6d

  • SHA512

    3d72c0cf71833f0280ef42b3a8573da0362e6e4abb4d68a5e62a2c374d91a9d803ef616f29df97d4351247aef4348aabdfe13c555cc39dc89866e7675421ccfa

  • SSDEEP

    24576:4uW3X8RZ5CKqTyCJCILDHaOc06IqNQhO3/7z:93RnCQOsjn

Score
10/10
agentteslaredlinesuccessdiscoveryinfostealerkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

success

C2

204.10.161.147:7082

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.dkplus.com.tr
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    04rf710m29

Targets

    • Target

      INQ_NB64773898-STOCK-U78477363.exe

    • Size

      1.3MB

    • MD5

      87c252fb664a71af9b62da1a7661d2e9

    • SHA1

      a6df180a2d267faf3d7c08ca9b218ac9008f27ed

    • SHA256

      a48800d7b18541d4375e24bfede8beb941e55bc2c5d996553425bc3c52c0f0a9

    • SHA512

      ec9403c0c64513210957317b93c4d79d034f8d0dd7eb64c315d8e82d1e97892d6c20e4e024b480cfd1cad1ffd9fa7a2e3daf030103755361729a1c3152be270e

    • SSDEEP

      24576:hu6J33O0c+JY5UZ+XC0kGso6FazOiI8GE7zFP6W2BjjnW2ckPWY:zu0c++OCvkGs9FazjnP6h5jWxY

    Score
    10/10
    agentteslaredlinesuccessdiscoveryinfostealerkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Agenttesla family

      agenttesla

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks