General
-
Target
https://bazaar.abuse.ch/browse/
-
Sample
250408-szkreswky6
Malware Config
Extracted
Protocol: smtp- Host:
mail.xma0.com - Port:
587 - Username:
[email protected] - Password:
london@1759
Extracted
Protocol: ftp- Host:
ftp.haliza.com.my - Port:
21 - Username:
[email protected] - Password:
JesusChrist007$
Extracted
Protocol: smtp- Host:
mail.dkplus.com.tr - Port:
587 - Username:
[email protected] - Password:
04rf710m29
Extracted
Protocol: smtp- Host:
mail.milt.com.pk - Port:
587 - Username:
[email protected] - Password:
Mshahbaz$$786%%
Extracted
redline
success
204.10.161.147:7082
Extracted
vipkeylogger
Protocol: smtp- Host:
mail.milt.com.pk - Port:
587 - Username:
[email protected] - Password:
Mshahbaz$$786%% - Email To:
[email protected]
Targets
-
-
Target
https://bazaar.abuse.ch/browse/
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Redline family
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Uses browser remote debugging
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Modify Authentication Process
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Authentication Process
1Modify Registry
3Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
5Credentials In Files
4Credentials in Registry
1