agenttesla | ffb44a5388958cda3be00af5170e3fa51c5bc59e7b6ea659836417a17594d18c

General

Target

malware.zip
Size

75.2MB
Sample

230916-rv1reaba91
MD5

9c5d4fde9036434c02da795d079f0651
SHA1

e57b24f74086c01f46b4d814688415c27a5e0068
SHA256

ffb44a5388958cda3be00af5170e3fa51c5bc59e7b6ea659836417a17594d18c
SHA512

1f956bf4f628553e88850d045cea9a5e09fb43c2a00b6311c4df2245535acfdaf6c5256ece4104df07ed9c69e15a033a2748ad2eaa4f17634ab6e8c32cffda0f
SSDEEP

1572864:jO3K/oykFae+/XkNwJ3ncS9pLkFg4FR40rbvXFahEvRY/Qj:K3K/jkFLobLkl40PvXpK/q

Score

10^/10

Malware Config

Extracted

Family

laplas

C2

clipper.guru

Attributes

api_key
5ef1aac7b3430729f6cbc95fb4d2d2a62582e7382955ffc87026077cb28ab31e

Extracted

Family

rhadamanthys

C2

http://195.3.223.120/blob/fullidao.tk

http://195.3.223.120/blob/fulliano.tk

http://195.3.223.120/blob/luciano.tk

http://195.3.223.120/blob/gotto.tk

Extracted

Family

aurora

C2

185.239.239.194:8081

Extracted

Family

agenttesla

C2

https://discord.com/api/webhooks/1052047387167838281/ckxOZHqDK9Fs6wm9uehtyNosd3HZGLhQFPhbdBDnWi6cl945WnENSlc0bCmlN0xY5VHH

Extracted

Family

smokeloader

Version

2022

C2

http://potunulit.org/

http://hutnilior.net/

http://bulimu55t.net/

http://soryytlic4.net/

http://novanosa5org.org/

http://nuljjjnuli.org/

http://tolilolihul.net/

http://somatoka51hub.net/

http://hujukui3.net/

http://bukubuka1.net/

http://golilopaster.org/

http://newzelannd66.org/

http://otriluyttn.org/

rc4.i32

Targets

- Target
  
  malware.zip
- Size
  
  75.2MB
- MD5
  
  9c5d4fde9036434c02da795d079f0651
- SHA1
  
  e57b24f74086c01f46b4d814688415c27a5e0068
- SHA256
  
  ffb44a5388958cda3be00af5170e3fa51c5bc59e7b6ea659836417a17594d18c
- SHA512
  
  1f956bf4f628553e88850d045cea9a5e09fb43c2a00b6311c4df2245535acfdaf6c5256ece4104df07ed9c69e15a033a2748ad2eaa4f17634ab6e8c32cffda0f
- SSDEEP
  
  1572864:jO3K/oykFae+/XkNwJ3ncS9pLkFg4FR40rbvXFahEvRY/Qj:K3K/jkFLobLkl40PvXpK/q
Score

10^/10

aurora dcrat smokeloader backdoor discovery evasion infostealer persistence rat spyware stealer trojan
- Aurora
  Aurora is a crypto wallet stealer written in Golang.
  stealer aurora
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Downloads MZ/PE file
- Stops running service(s)
  evasion
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Registers COM server for autorun
  persistence
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1