Overview

overview

10

Static

static

1

21b1d3298f...96.exe

windows7-x64

10

21b1d3298f...96.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    21b1d3298f190b1e90d3dc38d14fff7961854ee431ef70d10d3186ac36f3cd96.exe

  • Size

    534KB

  • Sample

    230206-rwvlsaed29

  • MD5

    5d444963cb8edc7745fcc4d6e8d31358

  • SHA1

    6f40cbe3a55c80e84f503a5f33557a125aac8a8a

  • SHA256

    21b1d3298f190b1e90d3dc38d14fff7961854ee431ef70d10d3186ac36f3cd96

  • SHA512

    382d11a72e1c01fba20a5130b2917fa85e51a9a347172a69535adab17d5a8f66fa85f43862c39887907c08e0be809b2867e6f9154f199857a57ab6dc5797c242

  • SSDEEP

    12288:DP/ReMHgqTPWORNdHq9D5CTROMDCJ+0cWeh3ih9HdA:zpeWbC9ATKo0cBYTG

Score
10/10
agentteslaasyncratneshtawarzoneratdefaultcollectioninfostealerkeyloggerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

192.3.193.136:2023

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5171883538:AAEyFWuNh68SJNNpkDCQbviRgrklZA3K4Qs/

Targets

    • Target

      21b1d3298f190b1e90d3dc38d14fff7961854ee431ef70d10d3186ac36f3cd96.exe

    • Size

      534KB

    • MD5

      5d444963cb8edc7745fcc4d6e8d31358

    • SHA1

      6f40cbe3a55c80e84f503a5f33557a125aac8a8a

    • SHA256

      21b1d3298f190b1e90d3dc38d14fff7961854ee431ef70d10d3186ac36f3cd96

    • SHA512

      382d11a72e1c01fba20a5130b2917fa85e51a9a347172a69535adab17d5a8f66fa85f43862c39887907c08e0be809b2867e6f9154f199857a57ab6dc5797c242

    • SSDEEP

      12288:DP/ReMHgqTPWORNdHq9D5CTROMDCJ+0cWeh3ih9HdA:zpeWbC9ATKo0cBYTG

    Score
    10/10
    agentteslaasyncratneshtawarzoneratdefaultcollectioninfostealerkeyloggerpersistenceratspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

      ratasyncrat

    • Detect Neshta payload

    • Modifies system executable filetype association

      persistence

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

      persistencespywareneshta

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Async RAT payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Change Default File Association

1
T1042

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks