Overview

overview

10

Static

static

Company Pr...df.exe

windows7_x64

10

Company Pr...df.exe

windows10-2004_x64

10

Invoices12...df.exe

windows7_x64

10

Invoices12...df.exe

windows10-2004_x64

10

Me jpg jpg...pg.exe

windows7_x64

10

Me jpg jpg...pg.exe

windows10-2004_x64

10

Pictures&D...pg.exe

windows7_x64

10

Pictures&D...pg.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c1faff57e041b52c6dc2a251eb60521621fc796330169d4e5b04a6e84cf49bf2

  • Size

    2.9MB

  • Sample

    220521-n1gzpshegm

  • MD5

    83b084e31d22420172b512c13d85fb29

  • SHA1

    da61793b805a60d6958725b7817e611e1e16d17f

  • SHA256

    c1faff57e041b52c6dc2a251eb60521621fc796330169d4e5b04a6e84cf49bf2

  • SHA512

    e2d7253058e0f98a22d86df002b97a634cf5fba63aeb930b3ff65e98aa6affe689d8ba06adea55f74ae9b16885b2c33e38a40b4d71091de2f2e6b69307648abf

Score
10/10
agentteslaformbookwarzonerathhacollectionevasioninfostealerkeyloggerpersistenceratspywarestealersuricatatrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.privateemail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    abouttomarry123

Extracted

Family

warzonerat

C2

216.170.119.24:5200

Extracted

Family

formbook

Version

4.1

Campaign

hha

Decoy

atarairdive.com

binanca.com

krepostta-sofia.com

chiangmaipartys.com

bestglobalseo.com

rdsri.com

immaginaeventi.com

lushrox.com

kenderia.com

goldenbrownacademy.com

kiddyquest.com

cs-support.online

magicovino.com

banderasacuadros.com

originalducatispareparts.com

tfpfleet.com

wickedmaple.com

fasypeoplesearch.com

zggwpmwdcp.com

boav11.com

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.privateemail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    abouttomarry123

Targets

    • Target

      Company Profile pdf pdf pdf pdf.exe

    • Size

      992KB

    • MD5

      6fef3cbba153c0f075035ec92dfb6e9a

    • SHA1

      b5bdf75e292ed3578172e80e604b96afa9686cb0

    • SHA256

      058edd37e76814c72e3b158791ec7ce2313550521bd522dba07d6c21903aee7b

    • SHA512

      efcb5c5229490fb2d9ed4ef7f8fa60449917b00dcaed1bd44292b0cea2e1e8ad3c5939d0c3ae549d8d5730b7d8df24a0b12946aebc3f6bcae44bf2356254fbea

    Score
    10/10
    agentteslacollectionevasionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

      collection

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      Invoices12032018 pdf pdf pdf pdf.exe

    • Size

      701KB

    • MD5

      adba8eb89fb39495c55c143d2e46b70e

    • SHA1

      9c36946b4ce03961de5d27317b4fdb861166bf7f

    • SHA256

      f0610807d973782048ad57275cdbb730da9974ea54f6de294f6e8ea82eca2d98

    • SHA512

      b6bb56d6640788f8b041898e59746e4b12f8f131668684dd5a0953fd486a239c5106fc404480572886193ee863ff3a731d6087dfba6a02df9d596737aed53a2d

    Score
    10/10
    warzoneratinfostealerrat

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Warzone RAT Payload

      rat

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

    • Target

      Me jpg jpg jpg jpg jpg.exe

    • Size

      794KB

    • MD5

      2ede82a76d48e1a1cf3d3c55b18db290

    • SHA1

      854589e5ea918e9033e56216a7f3d6bfd6dec59a

    • SHA256

      f1c80232eaed26af259c818427b444f12057b9329804da8ded13ec9fd20d3413

    • SHA512

      1e0deaf9afeed65367f7b0d04cc413449331820b03bd075dbadc1a593842ce3dc7f868ccee5aa7af32cc528d01558f5251313f938d1bc5a431f71ca0fe1f409a

    Score
    10/10
    formbookhhapersistenceratspywarestealersuricatatrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Formbook Payload

      rat

    • Adds policy Run key to start application

      persistence

    • Deletes itself

    • Suspicious use of SetThreadContext

    behavioral5behavioral6

    • Target

      Pictures&Designs jpg jpg jpg jpg.exe

    • Size

      985KB

    • MD5

      f18c8bfd7050c5c9e3b5490eb056281c

    • SHA1

      05f0b62ff015ecb90ca36495c94842bef9a1ba45

    • SHA256

      d98b551ba123d7020b8bcc1835f0bbeb103e50d18a3d341771e1a05b1edfaf87

    • SHA512

      e616ede3c6514b6de6b4bee70fee764d04ea602640067cb5fb18aa00d7339c0d0f59a2b9a842cfa9fd1bc2383e9cfde217004ab247343aa959a51d181604083a

    Score
    10/10
    agentteslacollectionevasionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

      collection

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral7behavioral8

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

2
T1053

Command-Line Interface

1
T1059

Persistence

Scheduled Task

2
T1053

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Scheduled Task

2
T1053

Defense Evasion

Virtualization/Sandbox Evasion

4
T1497

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

10
T1012

Virtualization/Sandbox Evasion

4
T1497

System Information Discovery

9
T1082

Peripheral Device Discovery

2
T1120

Lateral Movement

Collection

Email Collection

2
T1114

Exfiltration

Command and Control

Impact

Tasks