Overview

overview

10

Static

static

5

INQ_MB2-Ma...ns.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    03042025_0902_30032025_INQ_MB2-Materials_Specifications.zip

  • Size

    1.4MB

  • Sample

    250403-kzpflstvdy

  • MD5

    2f0659e4c602ddad271c623028127b2d

  • SHA1

    4fb0d112383add08872303d48e96c8dd985a1e59

  • SHA256

    025aa90c793bb63db06ae44eacfcd4fddb8413cc333d4aa403d99d41e3a10cfb

  • SHA512

    569e1313fe93842a95e6058d3352796abb737dcb99bf4076509332399757f2f79bcfc8fc67474bd629b2d2d8a259d8bdc8763d5d43d9f8289055ce600e249e84

  • SSDEEP

    24576:hFiEcWRWmQEtPXt15IDkuifgPWTBpohM1+t/xj3VzGLb2+gaXMrKQ4wYdc7lzeoM:jczPEF6+fvsE+n4xgOtQ+cBzg3

Score
10/10
agentteslaredlinesuccessdiscoveryinfostealerkeyloggerspywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.dkplus.com.tr
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    04rf710m29

Extracted

Family

redline

Botnet

success

C2

204.10.161.147:7082

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      INQ_MB2-Materials_Specifications.exe

    • Size

      1.9MB

    • MD5

      3556f7f4d6925435827cfb674bdbd313

    • SHA1

      ee25215f2803fe7447b972c6d4a9c343361969e4

    • SHA256

      43b81ca09ffa6f564d6ee5d2a1e5966d57810c23daef8c5a18ffa2b75afb1dba

    • SHA512

      88585ed9ba7ce94c39307d4b114f43d9b7670168fb9d5313b9969f11bc42d116e459cd7bc5bdf899f175b16c5558a58ffe7c235ed4ae806e546c1126a01ad973

    • SSDEEP

      49152:0o0c++OCvkGs9FaXcnVkKuVhnQY3Dmg27RnWGj:tB3vkJ9z3knQ2D527BWG

    Score
    10/10
    agentteslaredlinesuccessdiscoveryinfostealerkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Agenttesla family

      agenttesla

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • Drops startup file

    • Executes dropped EXE

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks