Overview

overview

10

Static

static

Invoices,P...pg.exe

windows7_x64

10

Invoices,P...pg.exe

windows10-2004_x64

10

Me jpg jpg...pg.exe

windows7_x64

10

Me jpg jpg...pg.exe

windows10-2004_x64

10

Products O...df.exe

windows7_x64

10

Products O...df.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    58bbda497419849bd851ed97dfde285b9c995a4421af98475776d6879e21309d

  • Size

    1.5MB

  • Sample

    220521-n72bxshhhj

  • MD5

    11e598ad2fd776265951dc0720d55273

  • SHA1

    c708bf1d04672c305491a2a2d75aa41631e69337

  • SHA256

    58bbda497419849bd851ed97dfde285b9c995a4421af98475776d6879e21309d

  • SHA512

    5073f4188c36a3ba15d0b1eaff033eb86e447d2d6de4fd9ef3f3632ac6491d9b3a786249e6d24116c2b5ade5450001c0c169de78c49be17399f5bbf537eeec56

Score
10/10
agentteslaformbookwarzonerathhacollectionevasioninfostealerkeyloggerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

warzonerat

C2

198.12.84.39:5200

Extracted

Family

formbook

Version

4.1

Campaign

hha

Decoy

atarairdive.com

binanca.com

krepostta-sofia.com

chiangmaipartys.com

bestglobalseo.com

rdsri.com

immaginaeventi.com

lushrox.com

kenderia.com

goldenbrownacademy.com

kiddyquest.com

cs-support.online

magicovino.com

banderasacuadros.com

originalducatispareparts.com

tfpfleet.com

wickedmaple.com

fasypeoplesearch.com

zggwpmwdcp.com

boav11.com

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.privateemail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    coronavirus2020

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.privateemail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    coronavirus2020

Targets

    • Target

      Invoices,Pictures jpg jpg jpg jpg.exe

    • Size

      476KB

    • MD5

      bb5454dd5bd4348184f41b2a179fc485

    • SHA1

      fded32c568bf8bfbb4f937f6c6a23be3e4de8e3c

    • SHA256

      847a17631eb77cdb667aadc9bebec75562fd1dfc4fd6206d2ec2636a11671cca

    • SHA512

      af8b23f670510ee4539ccc14698005567cea83695e53e198a8041c3351d73787a1668221e4d4a0b7c5ee8ebd49cef67e0880c60b12d39b48f17074742f9c5be4

    Score
    10/10
    warzoneratevasioninfostealerrat

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Warzone RAT Payload

      rat

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      Me jpg jpg jpg jpg.exe

    • Size

      550KB

    • MD5

      b341988d42a31ad31f64902f802be8cb

    • SHA1

      dcb84aa283342301808bb227d0f768036cccc89a

    • SHA256

      f80c8e9d0e8ed0ffa6b7d8620a0eb890deb7c9dc84dca3198b3d2625bf5d1099

    • SHA512

      97a260e43f2f77c57d46765d837df1bfa7bbbd27d4e3b8d17a63d68872429301b1be7fa5a735f0a37d7750a63ec98b242a93e7bb6be8ca9a7c9c289fd7b80c32

    Score
    10/10
    formbookhhapersistenceratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook Payload

      rat

    • Adds policy Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

    • Target

      Products Order pdf pdf pdf pdf.exe

    • Size

      763KB

    • MD5

      67d6dae8674b82803d9179b2e7416bbe

    • SHA1

      7f6f189a461595a0d4a6bfb609e4c1c8fe1619d4

    • SHA256

      e749f3ff00bcb6ecd97f1a5d504cac08382a2b22d2b28e726b22d8b3f2770510

    • SHA512

      fd11bfdb26d54da445aeeba66e369658f00228bc070fa1940ced1a6ded89c2a118397b9e44a5607ed75562625895606ed86e95f4850a4062939d866399fa7144

    Score
    10/10
    agentteslaevasionkeyloggerspywarestealertrojancollection

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

      collection

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral5behavioral6

MITRE ATT&CK Enterprise v6

Tasks