General
-
Target
PujH3zZZ8CZ2PQh.exe
-
Size
690KB
-
Sample
230216-s1cr7shh6y
-
MD5
ff03d21030f0ceec34b64a1354e12eca
-
SHA1
d4fd57bf4a367e0c3c7c12d1bf5d2fa24cfb4050
-
SHA256
f77b10f6ec51ae7c41bbf862324e2ec41527f2ddda49b85765ea45919480832e
-
SHA512
0c2a0c81aee2277a56d161c970d51e21bdf507bebbe6f85ffaaacc456765dba6c31a328bb014f3493d569c4e62f38ffa01972b5d88ffddf4b3e8b26bab61df2f
-
SSDEEP
12288:Gh6q6EM7YC0ND571Vd8Sd9GNx1l3V8HzLUExWB:GYXpQ57jfaxPleoB
Static task
static1
Behavioral task
behavioral1
Sample
PujH3zZZ8CZ2PQh.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
PujH3zZZ8CZ2PQh.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
asyncrat
0.5.7B
Default
192.3.193.136:2023
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
warzonerat
192.3.193.136:2017
Extracted
agenttesla
https://api.telegram.org/bot5171883538:AAEyFWuNh68SJNNpkDCQbviRgrklZA3K4Qs/
Targets
-
-
Target
PujH3zZZ8CZ2PQh.exe
-
Size
690KB
-
MD5
ff03d21030f0ceec34b64a1354e12eca
-
SHA1
d4fd57bf4a367e0c3c7c12d1bf5d2fa24cfb4050
-
SHA256
f77b10f6ec51ae7c41bbf862324e2ec41527f2ddda49b85765ea45919480832e
-
SHA512
0c2a0c81aee2277a56d161c970d51e21bdf507bebbe6f85ffaaacc456765dba6c31a328bb014f3493d569c4e62f38ffa01972b5d88ffddf4b3e8b26bab61df2f
-
SSDEEP
12288:Gh6q6EM7YC0ND571Vd8Sd9GNx1l3V8HzLUExWB:GYXpQ57jfaxPleoB
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect Neshta payload
-
Modifies system executable filetype association
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Async RAT payload
-
Warzone RAT payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-