4524f74c75340e0761a5e4e0f3c070fb96a364de054fead9c96c8ee8f4f81f0a | Triage

Submit
Reports

Overview

overview

Static

static

TNT E-Invo...df.exe

windows7_x64

TNT E-Invo...df.exe

windows10_x64

Sharing

General

Target

TNT E-Invoice Consignment Delivey Notification_pdf.exe
Size

401KB
Sample

200731-t9l5tqyjq2
MD5

bbebe99bf36cb3dc4c3c37a9487468ac
SHA1

b3c4734cbc3846304647fbf6854f6cbb3c0ab635
SHA256

4524f74c75340e0761a5e4e0f3c070fb96a364de054fead9c96c8ee8f4f81f0a
SHA512

64dfec480badbb528b1cc43d90780b7a1600bdb768da047013d5db16ebdf49d003dbc01a43568104c5dba220f54ff95f7c12648ca4cbed8a2098c817e1cf2016

Score

10^/10

persistence spyware

Static task

static1

Behavioral task

behavioral1

Sample

TNT E-Invoice Consignment Delivey Notification_pdf.exe

Resource

win7

persistence spyware

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

TNT E-Invoice Consignment Delivey Notification_pdf.exe

Resource

win10v200722

spyware persistence

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.minioninvest.com
Port:
587
Username:
support@minioninvest.com
Password:
uchegite08

Targets

- Target
  
  TNT E-Invoice Consignment Delivey Notification_pdf.exe
- Size
  
  401KB
- MD5
  
  bbebe99bf36cb3dc4c3c37a9487468ac
- SHA1
  
  b3c4734cbc3846304647fbf6854f6cbb3c0ab635
- SHA256
  
  4524f74c75340e0761a5e4e0f3c070fb96a364de054fead9c96c8ee8f4f81f0a
- SHA512
  
  64dfec480badbb528b1cc43d90780b7a1600bdb768da047013d5db16ebdf49d003dbc01a43568104c5dba220f54ff95f7c12648ca4cbed8a2098c817e1cf2016
Score

10^/10

persistence spyware
- Modifies WinLogon for persistence
  persistence
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Modifies service
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Modify Existing Service

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

persistencespyware

behavioral2

spywarepersistence

© 2018-2024

Terms | Privacy