General
-
Target
22353112183fd96e23f5a134378ad7856f7a02c064d838a292ef65261ac5a98b.img
-
Size
1.4MB
-
Sample
240628-bkpy6avglp
-
MD5
5c893b03b1a2fdf52bd4c6cb333f9c02
-
SHA1
b91986e93e5258c46bc3aa1eadbb4c5b716877b9
-
SHA256
22353112183fd96e23f5a134378ad7856f7a02c064d838a292ef65261ac5a98b
-
SHA512
f711b9ce6f5706aae0b37190351c72f60b2e7e1e5ab887c46e932ef56edb784f081b17785bbb8e8e8faf032777bbfc04fb7c378a5371a217b459785df65f1824
-
SSDEEP
12288:QcIjd3nQIQsk3na+Qin2At4FhujlTdp6c4TgONNER+NzYCzXBl5GgCWr2m:QcIjUna3in2o4FulG4ONNi+NBNlY2am
Static task
static1
Behavioral task
behavioral1
Sample
27062024-322copy.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
27062024-322copy.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240611-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
Disintricate/keelhauls.scr
Resource
win7-20240419-en
Behavioral task
behavioral6
Sample
Disintricate/keelhauls.scr
Resource
win10v2004-20240611-en
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://mail.hearing-vision.com - Port:
21 - Username:
[email protected] - Password:
LILKOOLL14!
Targets
-
-
Target
27062024-322copy.bat
-
Size
873KB
-
MD5
a37f4e7d2f3ac6c995f1986fcc9bb48f
-
SHA1
4e922eccec03db2683096b531801c73227e5ff42
-
SHA256
76f267de8fd5fa4744fb8294ee9a4765afeba03b36244527feca60a32df155af
-
SHA512
2959cca5d24deb57910fdd7ae9baae27c3bd0790868730477391e0a7e42fd8aec21225e902c96e46ccd23c2d3b80f8cb9a43d3d4e545fcd2c1d083564d2869ab
-
SSDEEP
12288:XcIjd3nQIQsk3na+Qin2At4FhujlTdp6c4TgONNER+NzYCzXBl5GgCWr2mS:XcIjUna3in2o4FulG4ONNi+NBNlY2amS
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4.
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion
-
Detects executables referencing Windows vault credential objects. Observed in infostealers
-
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
-
Detects executables referencing many email and collaboration clients. Observed in information stealers
-
Detects executables referencing many file transfer clients. Observed in information stealers
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
$PLUGINSDIR/System.dll
-
Size
11KB
-
MD5
55a26d7800446f1373056064c64c3ce8
-
SHA1
80256857e9a0a9c8897923b717f3435295a76002
-
SHA256
904fd5481d72f4e03b01a455f848dedd095d0fb17e33608e0d849f5196fb6ff8
-
SHA512
04b8ab7a85c26f188c0a06f524488d6f2ac2884bf107c860c82e94ae12c3859f825133d78338fd2b594dfc48f7dc9888ae76fee786c6252a5c77c88755128a5b
-
SSDEEP
192:MPtkumJX7zBE2kGwfy9S9VkPsFQ1Mx1c:97O2k5q9wA1Mxa
Score3/10 -
-
-
Target
Disintricate/keelhauls.scr
-
Size
1.0MB
-
MD5
87a3ce82a211e6022d7145c99eef5edc
-
SHA1
d2aa5daef3272acdee40657353ebb0ba94728e8d
-
SHA256
66bf6c84307739696eb18d632b6a34755375e61f3c612dc273c7f8f25fcad938
-
SHA512
66f2bc1530f6d187749486c7305f069d67964ef5427a6a59f2dc081469f5d608c6e0d2c30edef70a6a79e6386be1528ae2b8725ba704e2d3cf8b2f303d8eb1cf
-
SSDEEP
768:N9lotXK6U6HA/zmsIxzvraRwfj+iMbmwrhg2hnwjYBm2GOP9bsWZafCJL6Ir7wxG:QRPMLzJ
Score1/10 -