Overview

overview

10

Static

static

1

PujH3zZZ8CZ2PQh.exe

windows7-x64

10

PujH3zZZ8CZ2PQh.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    PujH3zZZ8CZ2PQh.exe

  • Size

    690KB

  • Sample

    230216-s1cr7shh6y

  • MD5

    ff03d21030f0ceec34b64a1354e12eca

  • SHA1

    d4fd57bf4a367e0c3c7c12d1bf5d2fa24cfb4050

  • SHA256

    f77b10f6ec51ae7c41bbf862324e2ec41527f2ddda49b85765ea45919480832e

  • SHA512

    0c2a0c81aee2277a56d161c970d51e21bdf507bebbe6f85ffaaacc456765dba6c31a328bb014f3493d569c4e62f38ffa01972b5d88ffddf4b3e8b26bab61df2f

  • SSDEEP

    12288:Gh6q6EM7YC0ND571Vd8Sd9GNx1l3V8HzLUExWB:GYXpQ57jfaxPleoB

Score
10/10
agentteslaasyncratneshtawarzoneratdefaultinfostealerkeyloggerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

192.3.193.136:2023

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

warzonerat

C2

192.3.193.136:2017

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5171883538:AAEyFWuNh68SJNNpkDCQbviRgrklZA3K4Qs/

Targets

    • Target

      PujH3zZZ8CZ2PQh.exe

    • Size

      690KB

    • MD5

      ff03d21030f0ceec34b64a1354e12eca

    • SHA1

      d4fd57bf4a367e0c3c7c12d1bf5d2fa24cfb4050

    • SHA256

      f77b10f6ec51ae7c41bbf862324e2ec41527f2ddda49b85765ea45919480832e

    • SHA512

      0c2a0c81aee2277a56d161c970d51e21bdf507bebbe6f85ffaaacc456765dba6c31a328bb014f3493d569c4e62f38ffa01972b5d88ffddf4b3e8b26bab61df2f

    • SSDEEP

      12288:Gh6q6EM7YC0ND571Vd8Sd9GNx1l3V8HzLUExWB:GYXpQ57jfaxPleoB

    Score
    10/10
    agentteslaasyncratneshtawarzoneratdefaultinfostealerkeyloggerpersistenceratspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

      ratasyncrat

    • Detect Neshta payload

    • Modifies system executable filetype association

      persistence

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

      persistencespywareneshta

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Async RAT payload

      rat

    • Warzone RAT payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Change Default File Association

1
T1042

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks