General

  • Target

    9bbecc1749b4de47b175c20ddddd335e.exe

  • Size

    1MB

  • Sample

    210723-k33d5qewvx

  • MD5

    9bbecc1749b4de47b175c20ddddd335e

  • SHA1

    ee1512d73ce9375b7ee1c2fc4ffc5f994f4929ed

  • SHA256

    0de691a91c2cce2b647aafa0fc5abdbfb84e2a91cda8ff93f4f85f2385007901

  • SHA512

    3aa6002a7149a16a2c3eabed98c4bc65af5683853f231eeb8d70eba0452d9e2e79d76effd5101d1958491dc0498c0f10abc06c42ec02f03ef7792529c4669254

Malware Config

Extracted

Family

warzonerat

C2

ghjklhgteg.strangled.net:6703

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot1846829589:AAHSsEDTKvDOQ17YrNRY5_FXv5z4mpfGRIc/sendDocument

Targets

    • Target

      9bbecc1749b4de47b175c20ddddd335e.exe

    • Size

      1MB

    • MD5

      9bbecc1749b4de47b175c20ddddd335e

    • SHA1

      ee1512d73ce9375b7ee1c2fc4ffc5f994f4929ed

    • SHA256

      0de691a91c2cce2b647aafa0fc5abdbfb84e2a91cda8ff93f4f85f2385007901

    • SHA512

      3aa6002a7149a16a2c3eabed98c4bc65af5683853f231eeb8d70eba0452d9e2e79d76effd5101d1958491dc0498c0f10abc06c42ec02f03ef7792529c4669254

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • AgentTesla Payload

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Sets DLL path for service in the registry

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Modifies WinLogon

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Winlogon Helper DLL

1
T1004

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Collection

Data from Local System

1
T1005

Tasks