General
-
Target
jewelry Order.zip
-
Size
20KB
-
Sample
210405-3zm51kx3ys
-
MD5
6f02df8811c1c596a39204b591de384c
-
SHA1
c1a9bd6e3b7414551ca5104475b4c1ea1fe19dc8
-
SHA256
41922728c35fd716130111dfc939384b50fe175b04f37ac1ab5c94426c1cb8f8
-
SHA512
9f5dc095e033a36f35231e1e7eca022290b5cf4b6b61eab381185f078b18f288bd80ab3dd1f8fcc62020a4247ef0d45125d75c29f13617e9826e850ca3d8d961
Static task
static1
Behavioral task
behavioral1
Sample
Pendants (2).exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Pendants (2).exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
earings.exe
Resource
win7v20201028
Behavioral task
behavioral4
Sample
earings.exe
Resource
win10v20201028
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
Smtp.atlassecuritys.com - Port:
587 - Username:
holyman@atlassecuritys.com - Password:
}I9@Yru*QfuS
Extracted
warzonerat
103.199.17.185:5200
Targets
-
-
Target
Pendants (2).exe
-
Size
24KB
-
MD5
fd27f0d132c4cfe0b8a63480d297007c
-
SHA1
2132be80f51eb8044e330bbe013970649229b18a
-
SHA256
7418a63befca526ff62f4a9230ecd45d82585e2612d0bf4c5baf14d3f4d984a4
-
SHA512
c326bec33bdc411f1701ec070d48b1acd789dc6ed83c561472d5dca04faf21e7d8a022559d8dce960aba91f6d9d1479d544ac44fe4b8594504e734885c20a8ca
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Turns off Windows Defender SpyNet reporting
-
AgentTesla Payload
-
Nirsoft
-
Executes dropped EXE
-
Drops startup file
-
Loads dropped DLL
-
-
-
Target
earings.exe
-
Size
24KB
-
MD5
b8a397c2bb7b7b13dda84893c34707de
-
SHA1
aaafe2fbb98d4d52b47fab269efae6fb30882288
-
SHA256
321b6f97457bc64a7fa264043d5f7ce3b6dc1ddd735daf77820580b2f7ff7a93
-
SHA512
4851e9ede6e9179fae47f1304c306cae931302551452537a4bf8ff2aa6e194bdf0c12531da43d33d5bc990e4c3efa6f24a4822b5be20c5bcda66b964c4b1e846
Score10/10-
Turns off Windows Defender SpyNet reporting
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Nirsoft
-
Warzone RAT Payload
-
Executes dropped EXE
-
Drops startup file
-
Loads dropped DLL
-
Adds Run key to start application
-
Modifies WinLogon
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-