General
-
Target
MONSTERMCProtector.zip
-
Size
2.9MB
-
Sample
231202-r27hjade3y
-
MD5
e8a8b0cab9eb9a710fd7895ff764cc99
-
SHA1
39bc39ee525a3e4c3d18fd5fb07cb15463fbc701
-
SHA256
98c8e17db7c4e1f5cac1d3f8487e984802bb436a52620667d0c2ff602a6b1789
-
SHA512
d7f14f6c57bb93748fff6f6f028955a20423cc184deb8e3427b79a3262944c7f26a0d4cfe626d16be1fddc53f104ce16610baf4cd72eb7224619248299dd55e2
-
SSDEEP
49152:6btLYS4beqTlCIuvYiV5G+NxFczKZZsy6nqvJD5tlQLmd:6bRYS4CqTxYYiVk+NxFjZsylhDVjd
Behavioral task
behavioral1
Sample
MONSTERMCProtector.zip
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
MONSTERMCProtector.zip
Resource
win10-20231129-en
Behavioral task
behavioral3
Sample
MONSTERMCProtector.zip
Resource
win10v2004-20231127-en
Behavioral task
behavioral4
Sample
MONSTERMCProtector.zip
Resource
win11-20231129-en
Malware Config
Targets
-
-
Target
MONSTERMCProtector.zip
-
Size
2.9MB
-
MD5
e8a8b0cab9eb9a710fd7895ff764cc99
-
SHA1
39bc39ee525a3e4c3d18fd5fb07cb15463fbc701
-
SHA256
98c8e17db7c4e1f5cac1d3f8487e984802bb436a52620667d0c2ff602a6b1789
-
SHA512
d7f14f6c57bb93748fff6f6f028955a20423cc184deb8e3427b79a3262944c7f26a0d4cfe626d16be1fddc53f104ce16610baf4cd72eb7224619248299dd55e2
-
SSDEEP
49152:6btLYS4beqTlCIuvYiV5G+NxFczKZZsy6nqvJD5tlQLmd:6bRYS4CqTxYYiVk+NxFjZsylhDVjd
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-