General
-
Target
hgj.exe
-
Size
381KB
-
Sample
230403-p9jqbseh44
-
MD5
430ff166ab0342bc7036bc9af090dd82
-
SHA1
96dc919ed5e15d9a8db55e570658bb88dc38b2c6
-
SHA256
d656346e915ba499f5d4ddc36e9753891e2335ec7d309e0bc38b91c3875b081f
-
SHA512
074e97b5cbb5782e5ddb6ccc5166216f44e32960218735d68fb9d2508c9b5b08209289634d8b857722597e765a7633eb923ebfe71c7bae06448ad8c4c0f93169
-
SSDEEP
6144:eDNA9p+LExdEfqDye3NCT8yGjm04y0O12udoEUAqI:IZLExdAiCgD4wldEHI
Static task
static1
Behavioral task
behavioral1
Sample
hgj.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
hgj.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
warzonerat
91.192.100.10:11011
Extracted
Protocol: smtp- Host:
mail.mondistar.ro - Port:
587 - Username:
control@mondistar.ro - Password:
MondiStar@2018!
Extracted
agenttesla
Protocol: smtp- Host:
mail.mondistar.ro - Port:
587 - Username:
control@mondistar.ro - Password:
MondiStar@2018! - Email To:
sales5dept@yandex.com
Targets
-
-
Target
hgj.exe
-
Size
381KB
-
MD5
430ff166ab0342bc7036bc9af090dd82
-
SHA1
96dc919ed5e15d9a8db55e570658bb88dc38b2c6
-
SHA256
d656346e915ba499f5d4ddc36e9753891e2335ec7d309e0bc38b91c3875b081f
-
SHA512
074e97b5cbb5782e5ddb6ccc5166216f44e32960218735d68fb9d2508c9b5b08209289634d8b857722597e765a7633eb923ebfe71c7bae06448ad8c4c0f93169
-
SSDEEP
6144:eDNA9p+LExdEfqDye3NCT8yGjm04y0O12udoEUAqI:IZLExdAiCgD4wldEHI
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload
-
Downloads MZ/PE file
-
.NET Reactor proctector
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-