Overview

overview

10

Static

static

1

oDEEOpxV4qBlrgj.exe

windows7-x64

10

oDEEOpxV4qBlrgj.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    oDEEOpxV4qBlrgj.001.zip

  • Size

    510KB

  • Sample

    230216-s25jlsac86

  • MD5

    e5c902ecd51fd12769e3f67d59c8e6e9

  • SHA1

    e808bc485331e68d7b7ed5a9d18571a556932dd0

  • SHA256

    1bc7d9dbd8555114b3d8f986db3e1ae440b0b0142d08c9c91330fab940718cc5

  • SHA512

    9af082b4ab00322b8fb4f1afc2f3c5a10696d0b8bdbff78591b63b572c7aec956f24b95cfc06e0b574a3975797d4e4facd574609ef8fa7ae874de633833e487f

  • SSDEEP

    6144:LKJiQvceokpNcoQpdkO8jlAiIk5k4+G9sWDocOOsfDPJy7DsrrmYo/3knOgFDMRi:uJ1AkAENkKRGnDPOoQwsReU8XBMKyLxq

Score
10/10
agentteslaasyncratneshtawarzoneratdefaultinfostealerkeyloggerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

192.3.193.136:2023

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

warzonerat

C2

192.3.193.136:2017

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5171883538:AAEyFWuNh68SJNNpkDCQbviRgrklZA3K4Qs/

Targets

    • Target

      oDEEOpxV4qBlrgj.exe

    • Size

      621KB

    • MD5

      45f42e17dd7229140a940f3346ddf3a9

    • SHA1

      dbf51050b80bd2932bfed81fc867495bbd856ca6

    • SHA256

      785ebeb84c2bc65d0b0a55691f18631c110531b132f60535b8462684d2492b81

    • SHA512

      3a1c2a3ee5382c61759e1a2664f2871eb49c567de6dec8ad70e797d4698f7950ec78eb567aba3ad286723bae926856509e880777d4165a75cc2463fcb4fbc7ef

    • SSDEEP

      12288:NeHlPTZh6q6/TKPzG7rjkKzG9DP+ogIGdjPETxpj:NeHllY/TKPzG7+B+TIOjPWxF

    Score
    10/10
    agentteslaasyncratneshtawarzoneratdefaultinfostealerkeyloggerpersistenceratspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

      ratasyncrat

    • Detect Neshta payload

    • Modifies system executable filetype association

      persistence

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

      persistencespywareneshta

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Async RAT payload

      rat

    • Warzone RAT payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Change Default File Association

1
T1042

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks