General
-
Target
oDEEOpxV4qBlrgj.001.zip
-
Size
510KB
-
Sample
230216-s25jlsac86
-
MD5
e5c902ecd51fd12769e3f67d59c8e6e9
-
SHA1
e808bc485331e68d7b7ed5a9d18571a556932dd0
-
SHA256
1bc7d9dbd8555114b3d8f986db3e1ae440b0b0142d08c9c91330fab940718cc5
-
SHA512
9af082b4ab00322b8fb4f1afc2f3c5a10696d0b8bdbff78591b63b572c7aec956f24b95cfc06e0b574a3975797d4e4facd574609ef8fa7ae874de633833e487f
-
SSDEEP
6144:LKJiQvceokpNcoQpdkO8jlAiIk5k4+G9sWDocOOsfDPJy7DsrrmYo/3knOgFDMRi:uJ1AkAENkKRGnDPOoQwsReU8XBMKyLxq
Static task
static1
Behavioral task
behavioral1
Sample
oDEEOpxV4qBlrgj.exe
Resource
win7-20221111-en
Malware Config
Extracted
asyncrat
0.5.7B
Default
192.3.193.136:2023
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
warzonerat
192.3.193.136:2017
Extracted
agenttesla
https://api.telegram.org/bot5171883538:AAEyFWuNh68SJNNpkDCQbviRgrklZA3K4Qs/
Targets
-
-
Target
oDEEOpxV4qBlrgj.exe
-
Size
621KB
-
MD5
45f42e17dd7229140a940f3346ddf3a9
-
SHA1
dbf51050b80bd2932bfed81fc867495bbd856ca6
-
SHA256
785ebeb84c2bc65d0b0a55691f18631c110531b132f60535b8462684d2492b81
-
SHA512
3a1c2a3ee5382c61759e1a2664f2871eb49c567de6dec8ad70e797d4698f7950ec78eb567aba3ad286723bae926856509e880777d4165a75cc2463fcb4fbc7ef
-
SSDEEP
12288:NeHlPTZh6q6/TKPzG7rjkKzG9DP+ogIGdjPETxpj:NeHllY/TKPzG7+B+TIOjPWxF
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect Neshta payload
-
Modifies system executable filetype association
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Async RAT payload
-
Warzone RAT payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-