Overview
overview
10Static
static
Company Pr...df.exe
windows7_x64
10Company Pr...df.exe
windows10-2004_x64
10Invoices12...df.exe
windows7_x64
10Invoices12...df.exe
windows10-2004_x64
10Me jpg jpg...pg.exe
windows7_x64
10Me jpg jpg...pg.exe
windows10-2004_x64
10Pictures&D...pg.exe
windows7_x64
10Pictures&D...pg.exe
windows10-2004_x64
10General
-
Target
c1faff57e041b52c6dc2a251eb60521621fc796330169d4e5b04a6e84cf49bf2
-
Size
2.9MB
-
Sample
220521-n1gzpshegm
-
MD5
83b084e31d22420172b512c13d85fb29
-
SHA1
da61793b805a60d6958725b7817e611e1e16d17f
-
SHA256
c1faff57e041b52c6dc2a251eb60521621fc796330169d4e5b04a6e84cf49bf2
-
SHA512
e2d7253058e0f98a22d86df002b97a634cf5fba63aeb930b3ff65e98aa6affe689d8ba06adea55f74ae9b16885b2c33e38a40b4d71091de2f2e6b69307648abf
Static task
static1
Behavioral task
behavioral1
Sample
Company Profile pdf pdf pdf pdf.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Company Profile pdf pdf pdf pdf.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
Invoices12032018 pdf pdf pdf pdf.exe
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
Invoices12032018 pdf pdf pdf pdf.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral5
Sample
Me jpg jpg jpg jpg jpg.exe
Resource
win7-20220414-en
Behavioral task
behavioral6
Sample
Me jpg jpg jpg jpg jpg.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral7
Sample
Pictures&Designs jpg jpg jpg jpg.exe
Resource
win7-20220414-en
Behavioral task
behavioral8
Sample
Pictures&Designs jpg jpg jpg jpg.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.privateemail.com - Port:
587 - Username:
[email protected] - Password:
abouttomarry123
Extracted
warzonerat
216.170.119.24:5200
Extracted
formbook
4.1
hha
atarairdive.com
binanca.com
krepostta-sofia.com
chiangmaipartys.com
bestglobalseo.com
rdsri.com
immaginaeventi.com
lushrox.com
kenderia.com
goldenbrownacademy.com
kiddyquest.com
cs-support.online
magicovino.com
banderasacuadros.com
originalducatispareparts.com
tfpfleet.com
wickedmaple.com
fasypeoplesearch.com
zggwpmwdcp.com
boav11.com
development88.com
naturestourssrilanka.com
fertycc.info
messenger-marketing.biz
gloucesterchauffeurs.com
gdhawell.com
paymejo.com
preparedtrafficupdates.win
youpinpuzi.com
gweneldor.tech
110408.info
19mosaics.com
radyoajanda.net
photographyhere-now.com
clickoncr.com
safeenamedia.com
jh3.tech
darinsfault.net
jbrwcfn.com
trandway.com
copecafe.net
mansourmall.com
chiyodaku-fudosan.com
idealgrphics.com
coldwardecor.com
airfan-video.com
mfash.info
zebrometer.com
hummingbirdindustries.info
buylasvegasluxury.com
blondsthlm.com
guggenheimre.com
savethewoodie.info
museumscreens.com
goodplacelotto.com
snackans.com
estimergia.com
laacia.life
swtsthotel.com
btcass.com
thewatchknight.com
bangladesherkhobor.net
sulphurinsatisfaction.com
casa-rural-cadiz.com
yofdyk.com
Extracted
Protocol: smtp- Host:
smtp.privateemail.com - Port:
587 - Username:
[email protected] - Password:
abouttomarry123
Targets
-
-
Target
Company Profile pdf pdf pdf pdf.exe
-
Size
992KB
-
MD5
6fef3cbba153c0f075035ec92dfb6e9a
-
SHA1
b5bdf75e292ed3578172e80e604b96afa9686cb0
-
SHA256
058edd37e76814c72e3b158791ec7ce2313550521bd522dba07d6c21903aee7b
-
SHA512
efcb5c5229490fb2d9ed4ef7f8fa60449917b00dcaed1bd44292b0cea2e1e8ad3c5939d0c3ae549d8d5730b7d8df24a0b12946aebc3f6bcae44bf2356254fbea
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-
-
-
Target
Invoices12032018 pdf pdf pdf pdf.exe
-
Size
701KB
-
MD5
adba8eb89fb39495c55c143d2e46b70e
-
SHA1
9c36946b4ce03961de5d27317b4fdb861166bf7f
-
SHA256
f0610807d973782048ad57275cdbb730da9974ea54f6de294f6e8ea82eca2d98
-
SHA512
b6bb56d6640788f8b041898e59746e4b12f8f131668684dd5a0953fd486a239c5106fc404480572886193ee863ff3a731d6087dfba6a02df9d596737aed53a2d
Score10/10-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload
-
Suspicious use of SetThreadContext
-
-
-
Target
Me jpg jpg jpg jpg jpg.exe
-
Size
794KB
-
MD5
2ede82a76d48e1a1cf3d3c55b18db290
-
SHA1
854589e5ea918e9033e56216a7f3d6bfd6dec59a
-
SHA256
f1c80232eaed26af259c818427b444f12057b9329804da8ded13ec9fd20d3413
-
SHA512
1e0deaf9afeed65367f7b0d04cc413449331820b03bd075dbadc1a593842ce3dc7f868ccee5aa7af32cc528d01558f5251313f938d1bc5a431f71ca0fe1f409a
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Adds policy Run key to start application
-
Deletes itself
-
Suspicious use of SetThreadContext
-
-
-
Target
Pictures&Designs jpg jpg jpg jpg.exe
-
Size
985KB
-
MD5
f18c8bfd7050c5c9e3b5490eb056281c
-
SHA1
05f0b62ff015ecb90ca36495c94842bef9a1ba45
-
SHA256
d98b551ba123d7020b8bcc1835f0bbeb103e50d18a3d341771e1a05b1edfaf87
-
SHA512
e616ede3c6514b6de6b4bee70fee764d04ea602640067cb5fb18aa00d7339c0d0f59a2b9a842cfa9fd1bc2383e9cfde217004ab247343aa959a51d181604083a
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-