b1954d6c1f249601ce6c562f6258ab29.exe

General
Target

b1954d6c1f249601ce6c562f6258ab29.exe

Size

1MB

Sample

210723-qym6kqp4sj

Score
10 /10
MD5

b1954d6c1f249601ce6c562f6258ab29

SHA1

f14797cd7a1d5c93e0acaab9ae808447c7d49646

SHA256

f6b969be87ff04be7afa8ebb789d8867356700537c3ca7cc8f64d2a587c0c0d6

SHA512

d7621ea34a49d9c3ca1e3ddd542a8e2e7115408b5959dbfc0a0525a6ebe83d70a363f4cf8ce9bec40fc51462bd9b986e9e51825f379c0e915b42ce2f4114a579

Malware Config

Extracted

Family warzonerat
C2

ghjklhgteg.strangled.net:6703

Extracted

Family agenttesla
C2

https://api.telegram.org/bot1846829589:AAHSsEDTKvDOQ17YrNRY5_FXv5z4mpfGRIc/sendDocument

Targets
Target

b1954d6c1f249601ce6c562f6258ab29.exe

MD5

b1954d6c1f249601ce6c562f6258ab29

Filesize

1MB

Score
10 /10
SHA1

f14797cd7a1d5c93e0acaab9ae808447c7d49646

SHA256

f6b969be87ff04be7afa8ebb789d8867356700537c3ca7cc8f64d2a587c0c0d6

SHA512

d7621ea34a49d9c3ca1e3ddd542a8e2e7115408b5959dbfc0a0525a6ebe83d70a363f4cf8ce9bec40fc51462bd9b986e9e51825f379c0e915b42ce2f4114a579

Tags

Signatures

  • AgentTesla

    Description

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    Tags

  • WarzoneRat, AveMaria

    Description

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    Tags

  • AgentTesla Payload

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Sets DLL path for service in the registry

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Modifies WinLogon

    Tags

    TTPs

    Winlogon Helper DLL Modify Registry
  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
    Execution
      Exfiltration
        Impact
          Initial Access
            Lateral Movement
              Privilege Escalation