Overview

overview

10

Static

static

1

Purchase O...df.exe

windows7-x64

10

Purchase O...df.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Purchase Order list 58732.pdf.z

  • Size

    232KB

  • Sample

    230327-qd4w3aff3v

  • MD5

    9759cda218b7cb9fa1a7df976d721027

  • SHA1

    85b3bb7cb020afc5c264fb8fcabca4d7a355ee99

  • SHA256

    5b69da44236696fcd58a56ae7085b1f357ba9c763e6c0181a175db0411ce7e29

  • SHA512

    619d72dfa455dafe4ebf66036e793626960bd29a9c0b9657d967245ae6002536d0713acc0ab3ca43f2b54257de3421d91f590df2b93113ffa353ec94f4b74c80

  • SSDEEP

    6144:LGXQitcpgp3d6ZRBMyNHmUBp9Hh3biqkvdR:LGJ6mp3d2rBXheq4R

Score
10/10
agentteslawarzoneratcollectioninfostealerkeyloggerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

warzonerat

C2

91.192.100.10:11011

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.mondistar.ro
  • Port:
    587
  • Username:
    control@mondistar.ro
  • Password:
    MondiStar@2018!

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.mondistar.ro
  • Port:
    587
  • Username:
    control@mondistar.ro
  • Password:
    MondiStar@2018!
  • Email To:
    sales5dept@yandex.com

Targets

    • Target

      Purchase Order list 58732.pdf.exe

    • Size

      307KB

    • MD5

      dbaa3eedb475065eb8d88c1e9e04c2de

    • SHA1

      bd2bbf3940dbfa53ddacba057333c88c77e5372d

    • SHA256

      853e1ec7d4d8fa449d88746cab1bfac6074e0d81e9a26ef6948793059e9bd781

    • SHA512

      9dea4831e8b01d0f9726ba9d31f786fdbaf1334340042282548a138b83e13d639403d814b8f16ee7572044941b3417c503240ee56c8c4d782c265fb6520b4509

    • SSDEEP

      6144:u8fqDye3NCT8yGjm04y0O12udoEUAaZbyHfI:tiCgD4wldEiHfI

    Score
    10/10
    warzoneratcollectioninfostealerpersistenceratagentteslakeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Warzone RAT payload

      rat

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

Remote System Discovery

1
T1018

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks