Overview
overview
10Static
static
10PRE-ADVISE...49.exe
windows7-x64
10PRE-ADVISE...49.exe
windows10-2004-x64
10New P.O.exe
windows7-x64
10New P.O.exe
windows10-2004-x64
10174d337dc9...e8.exe
windows7-x64
10174d337dc9...e8.exe
windows10-2004-x64
31acc6fd285...05.elf
debian-12-armhf
9JDtnp2mcrQvXDeo.exe
windows7-x64
10JDtnp2mcrQvXDeo.exe
windows10-2004-x64
1073c5c4b126...f0.exe
windows7-x64
1073c5c4b126...f0.exe
windows10-2004-x64
10PR-ZWL 07...O).exe
windows7-x64
8PR-ZWL 07...O).exe
windows10-2004-x64
8SOA pdf.exe
windows7-x64
10SOA pdf.exe
windows10-2004-x64
108c56b0f77a...4a.exe
windows7-x64
108c56b0f77a...4a.exe
windows10-2004-x64
10a7756cd5c5...c1.elf
debian-12-armhf
1ac6ea6239a...de.exe
windows7-x64
7ac6ea6239a...de.exe
windows10-2004-x64
7c55761decb...27.elf
ubuntu-22.04-amd64
c79a98c3a1...73.exe
windows7-x64
8c79a98c3a1...73.exe
windows10-2004-x64
8d30f8c9b89...30.doc
windows7-x64
4d30f8c9b89...30.doc
windows10-2004-x64
1d38f510bc1...26.exe
windows7-x64
1d38f510bc1...26.exe
windows10-2004-x64
1d623c0b8d9...cf.bat
windows7-x64
1d623c0b8d9...cf.bat
windows10-2004-x64
1RFQ-2402-3572.exe
windows7-x64
10RFQ-2402-3572.exe
windows10-2004-x64
10INV&PL.exe
windows7-x64
8General
-
Target
4f3c0de5a08e918050382a42c6109fda68cc8167664065ebd98c73d761fde3f3
-
Size
18.4MB
-
Sample
240620-cqz7raxfpl
-
MD5
40685ad748cf99dfd9aa8747195b266f
-
SHA1
844094dced2c259dac21977fd6f5415e4781e319
-
SHA256
4f3c0de5a08e918050382a42c6109fda68cc8167664065ebd98c73d761fde3f3
-
SHA512
decf87807bec6966c63694fd1529abdb4f4b97c4526ee7cbe52b78bde002d1ccce1cb51d6f679ac28fa68b29b459a772b6165041fa31b81ba972f3e833a7bd3a
-
SSDEEP
393216:lR66vlrcuVVO5wF1yVrvQud+WoTtDsC9cOv+5cMRbco0vTRtqgxzLwxwZAeZU:lR6IBni7lGOscQMRbKTRtqWwxa1ZU
Behavioral task
behavioral1
Sample
PRE-ADVISE PO 45202549.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
PRE-ADVISE PO 45202549.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
New P.O.exe
Resource
win7-20240220-en
Behavioral task
behavioral4
Sample
New P.O.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
174d337dc96f1d28833631db40dfb53ed28878b50ade6698a423b222b3ff78e8.exe
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
174d337dc96f1d28833631db40dfb53ed28878b50ade6698a423b222b3ff78e8.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral7
Sample
1acc6fd2850bf39084454669685e98ad49bfab90fcafe1e91f49caf4af182405.elf
Resource
debian12-armhf-20240418-en
Behavioral task
behavioral8
Sample
JDtnp2mcrQvXDeo.exe
Resource
win7-20240221-en
Behavioral task
behavioral9
Sample
JDtnp2mcrQvXDeo.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral10
Sample
73c5c4b12646631dbf1e8adf10b52b8635b34d02d753d3fe829bd41210f547f0.exe
Resource
win7-20231129-en
Behavioral task
behavioral11
Sample
73c5c4b12646631dbf1e8adf10b52b8635b34d02d753d3fe829bd41210f547f0.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral12
Sample
PR-ZWL 07364G49574(Revised PO).exe
Resource
win7-20240508-en
Behavioral task
behavioral13
Sample
PR-ZWL 07364G49574(Revised PO).exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral14
Sample
SOA pdf.exe
Resource
win7-20240508-en
Behavioral task
behavioral15
Sample
SOA pdf.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral16
Sample
8c56b0f77abb15a25ffdd9e0700475d339c640c4f40094a8bc97223d850c1f4a.exe
Resource
win7-20240419-en
Behavioral task
behavioral17
Sample
8c56b0f77abb15a25ffdd9e0700475d339c640c4f40094a8bc97223d850c1f4a.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral18
Sample
a7756cd5c50f47896fe717bf2ae620f8f3b451e84a70f983c6d79c4f7ad63dc1.elf
Resource
debian12-armhf-20240221-en
Behavioral task
behavioral19
Sample
ac6ea6239a4b82d24b823f1a50ab207652024f33726730d4d7b791fcb2fec7de.exe
Resource
win7-20240611-en
Behavioral task
behavioral20
Sample
ac6ea6239a4b82d24b823f1a50ab207652024f33726730d4d7b791fcb2fec7de.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral21
Sample
c55761decbe72089e99909a2906c693b159c4b31564d8b795f8821b2683dba27.elf
Resource
ubuntu2204-amd64-20240611-en
Behavioral task
behavioral22
Sample
c79a98c3a11afabf39a52a12cb7d1ee6cf4f9df5c7bc54aa969296f50b75aa73.exe
Resource
win7-20240221-en
Behavioral task
behavioral23
Sample
c79a98c3a11afabf39a52a12cb7d1ee6cf4f9df5c7bc54aa969296f50b75aa73.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral24
Sample
d30f8c9b89f3bd4630fdfb8b9c5390e7e828846cc99d1ba179a2bee7886e6830.doc
Resource
win7-20240220-en
Behavioral task
behavioral25
Sample
d30f8c9b89f3bd4630fdfb8b9c5390e7e828846cc99d1ba179a2bee7886e6830.doc
Resource
win10v2004-20240508-en
Behavioral task
behavioral26
Sample
d38f510bc1a2f2e389f22e0a8609f531472d1b367111f74de9109b49c91cbe26.exe
Resource
win7-20240508-en
Behavioral task
behavioral27
Sample
d38f510bc1a2f2e389f22e0a8609f531472d1b367111f74de9109b49c91cbe26.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral28
Sample
d623c0b8d9d662362b6347c6862217221e660082ef0a9bff77a83a6efffda4cf.bat
Resource
win7-20240508-en
Behavioral task
behavioral29
Sample
d623c0b8d9d662362b6347c6862217221e660082ef0a9bff77a83a6efffda4cf.bat
Resource
win10v2004-20240611-en
Behavioral task
behavioral30
Sample
RFQ-2402-3572.exe
Resource
win7-20240419-en
Behavioral task
behavioral31
Sample
RFQ-2402-3572.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral32
Sample
INV&PL.exe
Resource
win7-20231129-en
Malware Config
Extracted
mirai
UNSTABLE
Extracted
mirai
UNSTABLE
Extracted
agenttesla
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
xhcgmrubwdhylrry - Email To:
[email protected]
Extracted
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
xhcgmrubwdhylrry
Extracted
formbook
4.1
cr12
nff1291.com
satyainfra.com
hechiceradeamores.com
jfgminimalist.com
qut68q.com
pedandmore.com
sugardefender24-usa.us
somalse.com
lotusluxecandle.com
certificadobassetpro.com
veryaroma.com
thehistoryofindia.in
33155.cc
terastudy.net
84031.vip
heilsambegegnen.com
horizon-rg.info
junongpei.website
winstons.club
henslotalt.us
home-care-72875.bond
elmetaversal.com
thetrendingproduct.com
kiki-hello-jury.com
fertami.info
free-cell-phones-en-arena.sbs
emilogiska.com
airexam.in
masters-of-1.com
othersidings.com
fullpaw.com
xmmtrader.com
astronomersparadise.net
cert.agency
pools-97641.bond
forexsignals-trading.com
bxsmediaconsulting.com
perfectedskincare.com
footresort.com
warehouse-inventory-80963.bond
purifygenius.com
bolinkpass.club
velleclub.com
epuar.com
winningpickleballshots.com
spiaggia.club
kadinzuri.com
keyboards-280323.cfd
africanfemalefounders.club
tkoelectriical.com
wg5688.com
properrr.com
fortune-tiger-rede.com
65302.vip
psychologyzerodegrees.today
top99bet4d.site
priuswuxi.com
carneden.com
ptwix.xyz
furniture-70925.bond
064817.com
ferradaoffroad.com
pix2click.life
jurj.xyz
spiritualpath.info
Targets
-
-
Target
PRE-ADVISE PO 45202549.exe
-
Size
731KB
-
MD5
cb95734e59b6b649c53ebae76634a05c
-
SHA1
2211f611f66a45c94079c99d9e43bf9c1309c498
-
SHA256
73c5c4b12646631dbf1e8adf10b52b8635b34d02d753d3fe829bd41210f547f0
-
SHA512
b92e3656eaa0d0de42daf45feb572f387c9cb4163e0657e80dcf51dd85c703c646fd1a751160f7c1149824cf41cf45fd3e08cef9323e3b29006983652a4c7731
-
SSDEEP
12288:RgsEDqiqyJMEFFYRqXHkgiANPvzB6GLPmgMuJHC9YGvmxa7hyGlvdPR/Ue77P578:Ge5OLFTXHkgiMPl6G7quJim0mcFyGTPm
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
New P.O.exe
-
Size
1.2MB
-
MD5
bf62b57ee6b1e88d479e982fcc5bcf68
-
SHA1
35956b67857e333893689bf293b053653180bc87
-
SHA256
174d337dc96f1d28833631db40dfb53ed28878b50ade6698a423b222b3ff78e8
-
SHA512
ce25b0d13a2af6df4a89a7376684535b78b2cf4fff76121344ab700a70852f0a23f70eddbe8884f70584c4a12afbc20149a4e6253a23de5294672d0998713553
-
SSDEEP
24576:PAHnh+eWsN3skA4RV1Hom2KXMmHa0cBsAbHXBRSPO2fC5:yh+ZkldoPK8Ya0ahdRFP
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
174d337dc96f1d28833631db40dfb53ed28878b50ade6698a423b222b3ff78e8.exe
-
Size
1.2MB
-
MD5
bf62b57ee6b1e88d479e982fcc5bcf68
-
SHA1
35956b67857e333893689bf293b053653180bc87
-
SHA256
174d337dc96f1d28833631db40dfb53ed28878b50ade6698a423b222b3ff78e8
-
SHA512
ce25b0d13a2af6df4a89a7376684535b78b2cf4fff76121344ab700a70852f0a23f70eddbe8884f70584c4a12afbc20149a4e6253a23de5294672d0998713553
-
SSDEEP
24576:PAHnh+eWsN3skA4RV1Hom2KXMmHa0cBsAbHXBRSPO2fC5:yh+ZkldoPK8Ya0ahdRFP
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
1acc6fd2850bf39084454669685e98ad49bfab90fcafe1e91f49caf4af182405.elf
-
Size
187KB
-
MD5
5a57c37935e84a37aaa682cf4c991222
-
SHA1
171bf1e48e28d1c332711861dffaeabd0f014bce
-
SHA256
1acc6fd2850bf39084454669685e98ad49bfab90fcafe1e91f49caf4af182405
-
SHA512
2dac831ad836920cc5e82099934db14af33189a0d807abb8b7a094a6a3857fe92c3415d76537f0ef9b326a3adfc94bc30ab288093f4307afc2f3680b32b39ba7
-
SSDEEP
3072:mWSFzOpsT6FbGqEVyYaySFjiHNjgsxSuRgh86Mcmo+M/RegKmYRA:mW8iplbGLgYaySFjiHN0sRq867v+M/RX
Score9/10-
Contacts a large (74734) amount of remote hosts
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows
This may indicate a network scan to discover remotely running services.
-
-
-
Target
JDtnp2mcrQvXDeo.exe
-
Size
652KB
-
MD5
3aee87433e931e3a5fc22f57f428fcbb
-
SHA1
f6495dd08bdc9d8d049e1e898800bd8d9311a549
-
SHA256
709cb8b2628d52b597a87f74bd8867dd40cb54bd48940d159dd11930d9d76472
-
SHA512
8f12394205a9940feaf4d350f2d4d6f3adb693e00a56ebb8933c6cb6b062f419e4aaf0f4ccccd507bc1cfe042bd9ac0ee669d52e29daebd2c8465a3c709e4f24
-
SSDEEP
12288:G3qyJMjKlhpPEe0XTfBSH9GuIwY4HwHDohzRqrewL5aArEpVLsGY:G6OFh9EVckHBshMreWgWJ
-
Formbook payload
-
Suspicious use of SetThreadContext
-
-
-
Target
73c5c4b12646631dbf1e8adf10b52b8635b34d02d753d3fe829bd41210f547f0.exe
-
Size
731KB
-
MD5
cb95734e59b6b649c53ebae76634a05c
-
SHA1
2211f611f66a45c94079c99d9e43bf9c1309c498
-
SHA256
73c5c4b12646631dbf1e8adf10b52b8635b34d02d753d3fe829bd41210f547f0
-
SHA512
b92e3656eaa0d0de42daf45feb572f387c9cb4163e0657e80dcf51dd85c703c646fd1a751160f7c1149824cf41cf45fd3e08cef9323e3b29006983652a4c7731
-
SSDEEP
12288:RgsEDqiqyJMEFFYRqXHkgiANPvzB6GLPmgMuJHC9YGvmxa7hyGlvdPR/Ue77P578:Ge5OLFTXHkgiMPl6G7quJim0mcFyGTPm
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
PR-ZWL 07364G49574(Revised PO).exe
-
Size
759KB
-
MD5
6ef3cba91b136ae138380b710a104a12
-
SHA1
5347a8375a4faaca804d39b6e892241086be8986
-
SHA256
c79a98c3a11afabf39a52a12cb7d1ee6cf4f9df5c7bc54aa969296f50b75aa73
-
SHA512
f65fd41faa37b1eaca4f60f830fc4c22c43f91821489bbfa9340f65c16e8056cd331b4cf68d8223245cbca6c7493e837cf15b16dfe371ff0a95183a9813051c5
-
SSDEEP
12288:YgsrmyiqyJMbloYxlJHATl7Nn4JaywbIK/bOFNEpDg0891ZdujAC6lITYeMmR/E:QF5OyoY5ApZnRywbj/bieTi1ujAC6r37
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Modifies file permissions
-
Suspicious use of SetThreadContext
-
-
-
Target
SOA pdf.exe
-
Size
717KB
-
MD5
0e928f8ca2a45826211c1e02c9ae09f8
-
SHA1
502ba9469f174b8ae062278be8ca847616d4e0f8
-
SHA256
3c4a6a16a5d8679e83400b100265e0513f5993e513d5f17c875976b09cd1bf25
-
SHA512
1ae4d75d15026e3277b42918756b1bc7a91960811136af4672ca48c9b943279b4ff22be4382275629693ae9f17b0c3e95ac1ade95c5bf167086015478aca4ca4
-
SSDEEP
12288:I3qyJMM/F1KswrqeiQgLI/VvH8WX1wMVeARbNPnN9jXBOQS6XczZLK4I7ukDkR:I6ON1KAYVvH8inwARbNPNNX3VMBK41kW
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
8c56b0f77abb15a25ffdd9e0700475d339c640c4f40094a8bc97223d850c1f4a.exe
-
Size
261KB
-
MD5
cf98d600d1bcb5cbf653ce1c217afffd
-
SHA1
b390d1d18f7525df4ba20fb9a05c29661313303e
-
SHA256
8c56b0f77abb15a25ffdd9e0700475d339c640c4f40094a8bc97223d850c1f4a
-
SHA512
6c1edcf5cc6ccdc3536ddd6e20f101551a3ec3ec9745eab9714922ca16a5c4d6763f8e1df172672ec5987310b6efb7335056ff23970f2404bad1bca228c87b20
-
SSDEEP
6144:zDKW1Lgbdl0TBBvjc/pln9MM1opjyQk0cfXGN49gT:nh1Lk70Tnvjcn93eplkJmT
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
a7756cd5c50f47896fe717bf2ae620f8f3b451e84a70f983c6d79c4f7ad63dc1.elf
-
Size
142KB
-
MD5
6c189b57296bbee400556efb87716501
-
SHA1
dfb372e7329d279ea0c7c88c9fe4c332332c3345
-
SHA256
a7756cd5c50f47896fe717bf2ae620f8f3b451e84a70f983c6d79c4f7ad63dc1
-
SHA512
e2f27fed8f1939c72d46a9e514ece01174917ea1e0b6a7746a8ca7d82427338f2b587424f184408678687ed8bd447a41d9f8c44eeac78f450d3349d0e0abc3b9
-
SSDEEP
1536:M+noapd+7x2AZWwK58AvA4BBAhxrE4V9jFTbjBikIjqYjo8xnelMLwywh9ToGwV3:M+nb+EwuPv5BBwg4XF/jBioGN60aLRF
Score1/10 -
-
-
Target
ac6ea6239a4b82d24b823f1a50ab207652024f33726730d4d7b791fcb2fec7de.exe
-
Size
10.2MB
-
MD5
d3f70e7671df9f9817768d24c75aa735
-
SHA1
d1d758deac586c0629870b5df63f1de5a79d153b
-
SHA256
ac6ea6239a4b82d24b823f1a50ab207652024f33726730d4d7b791fcb2fec7de
-
SHA512
51a921f93ddd21599fdba186a5abe72f9103e7e5ed4e863f8ff0eefd78e6941276bea1e84c240c3365cada2d4026d6794bae33b9a969d11c0141f17b2f189ac2
-
SSDEEP
196608:N/7Olb2w9+L0YFqQxA10++MvJHDO6yBT9k0W8/L2yBE3U/aF1gJ3:NKlq5L0HQK1HnOT9W8qQiFaJ
Score7/10-
Loads dropped DLL
-
-
-
Target
c55761decbe72089e99909a2906c693b159c4b31564d8b795f8821b2683dba27.elf
-
Size
97KB
-
MD5
94d0eeb26baa543c32dc4ea8b62e83d5
-
SHA1
ecac42d08ca947284f63b9e30e3560c05568a963
-
SHA256
c55761decbe72089e99909a2906c693b159c4b31564d8b795f8821b2683dba27
-
SHA512
b7a826f645342136f37ce549d00e6b28ba23c8b515f83d1c1c6329788fcb74bddc13e723f2030b4c20be5c53b13eec4a6b52c18e9072a90b47153fd7e7955168
-
SSDEEP
1536:u4w1sjHa+UtSe5g+r9naSgEHyGF++49MoeuefL6hrDb3cHNSH2b7:k1sjHndez9nIEHyslnuk+hrvGko7
Score1/10 -
-
-
Target
c79a98c3a11afabf39a52a12cb7d1ee6cf4f9df5c7bc54aa969296f50b75aa73.exe
-
Size
759KB
-
MD5
6ef3cba91b136ae138380b710a104a12
-
SHA1
5347a8375a4faaca804d39b6e892241086be8986
-
SHA256
c79a98c3a11afabf39a52a12cb7d1ee6cf4f9df5c7bc54aa969296f50b75aa73
-
SHA512
f65fd41faa37b1eaca4f60f830fc4c22c43f91821489bbfa9340f65c16e8056cd331b4cf68d8223245cbca6c7493e837cf15b16dfe371ff0a95183a9813051c5
-
SSDEEP
12288:YgsrmyiqyJMbloYxlJHATl7Nn4JaywbIK/bOFNEpDg0891ZdujAC6lITYeMmR/E:QF5OyoY5ApZnRywbj/bieTi1ujAC6r37
Score8/10-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-
-
-
Target
d30f8c9b89f3bd4630fdfb8b9c5390e7e828846cc99d1ba179a2bee7886e6830.doc
-
Size
118KB
-
MD5
e44b25aa77ee6ec4e9517331b3ee4c94
-
SHA1
1b37cdea0ee1cc741f199e30faf0e2bc2563533c
-
SHA256
d30f8c9b89f3bd4630fdfb8b9c5390e7e828846cc99d1ba179a2bee7886e6830
-
SHA512
6c8fe3f2c02805b3a26c969eb1ca1db91de5a7adbdde17ce403a79950f1f290f9178cf5679fbbcb231e8e744e940d3b30bab865a4de1e4cd21d3a0960f316c53
-
SSDEEP
1536:xFwEsxtVS/MOh4GDD1D77L+WUx+a9FU4UU4HU4LUYHUY9U48U4UU4HU4oU47U4/c:xFwEek/MI/F/n
Score4/10 -
-
-
Target
d38f510bc1a2f2e389f22e0a8609f531472d1b367111f74de9109b49c91cbe26.exe
-
Size
1.7MB
-
MD5
95cbc37d7c73ed0bf29074713701ce8a
-
SHA1
da6ad1007e94f69772eee09473dab8b4eb2db14e
-
SHA256
d38f510bc1a2f2e389f22e0a8609f531472d1b367111f74de9109b49c91cbe26
-
SHA512
a084c74bc1716356dad090a4aba0beee0aa4e098161a191781c48abb4db1c52f6f2167f9e48d60381f5b89822ea17ae62b9a7c755900842c897fad8b9897db81
-
SSDEEP
49152:1Djlabwz9+HjAr6EwEVulQgsXd4WfLW+ZrZznY4:Zqw7rmEVulQgYxDPZzY4
Score1/10 -
-
-
Target
d623c0b8d9d662362b6347c6862217221e660082ef0a9bff77a83a6efffda4cf.bat
-
Size
35B
-
MD5
e45f6a0d55d7fa893be7ec033793ba6b
-
SHA1
6905c4a234f4e6e9fcfd222a0d932e827b86d833
-
SHA256
d623c0b8d9d662362b6347c6862217221e660082ef0a9bff77a83a6efffda4cf
-
SHA512
773730f1b0284d102060f20ac8f6b636fde2036b30ede41b5472754824a87c79c3995de5b7766b0802efb5698961ee82a4e862cb2a474d090b7f9c29e79b396a
Score1/10 -
-
-
Target
RFQ-2402-3572.exe
-
Size
706KB
-
MD5
2e11cbc359b45e25b7f5f3b6008f3adc
-
SHA1
e640cc86dfed0419775c394ed050674667ed8b2e
-
SHA256
48c7311341af01dfa4d01d6000fb17d6956d6607f2714bb88bba2f8ca0a93fbc
-
SHA512
4a4c3b8d84f8a7a7b09bd584b17f07fe929abd938b64cef95e2890512d988eff116ce726694d53e5d78e3063ed71b0ac3d33ebfa8db6dc3ec8b2469578c5c8ba
-
SSDEEP
12288:r3qyJMIC222lCz/mh/otW1AmPCLHmR895zB8DSSAwlDJyhy3KJx:r6Oo222Y7mh/BKm6vDF8+S/GhgKL
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
INV&PL.exe
-
Size
888KB
-
MD5
3d62e0fc4fca8100b42897e70a53d231
-
SHA1
330509cdadfcf790502287f308c30f2f273f2da3
-
SHA256
e8337caecb446835a9104cbc6bccf21fb76c0ab31a285a5e2049be0b1a6bc273
-
SHA512
bd27f9c93cd80df38221090c21a894676220129f2942e2e1884a47054ff7643de7903384e4033131b758974c876fefed86e4e6c6a30297e6e30e60968101642f
-
SSDEEP
12288:Q1ZBq7/ExfbSRmrZn9gHLYBrsd5dewor0FPpDI5mMXoWV2woUb+gRyd1wV1ERc1:Q1Z07/ExfbVrZn9GXd/cm05mMXzvr+qp
Score8/10-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
4PowerShell
4Scheduled Task/Job
2Scheduled Task
2Persistence
Boot or Logon Autostart Execution
6Registry Run Keys / Startup Folder
6Scheduled Task/Job
2Scheduled Task
2Privilege Escalation
Boot or Logon Autostart Execution
6Registry Run Keys / Startup Folder
6Scheduled Task/Job
2Scheduled Task
2Credential Access
Unsecured Credentials
16Credentials In Files
12Credentials in Registry
4