Overview

overview

10

Static

static

10

00decd0673...c0.vbs

windows7-x64

3

00decd0673...c0.vbs

windows10-2004-x64

7

016005310b...cb.elf

ubuntu-18.04-amd64

7

0282cdf346...7d.elf

ubuntu-18.04-amd64

0282cdf346...7d.elf

debian-9-armhf

0282cdf346...7d.elf

debian-9-mips

0282cdf346...7d.elf

debian-9-mipsel

02a690404a...3d.exe

windows7-x64

10

02a690404a...3d.exe

windows10-2004-x64

10

02e3a95647...5d.exe

windows7-x64

10

02e3a95647...5d.exe

windows10-2004-x64

10

0386b03840...53.elf

debian-9-armhf

10

039cf1e827...5b.exe

windows7-x64

10

039cf1e827...5b.exe

windows10-2004-x64

3

04854dadf5...5c.elf

ubuntu-18.04-amd64

04854dadf5...5c.elf

debian-9-armhf

04854dadf5...5c.elf

debian-9-mips

04854dadf5...5c.elf

debian-9-mipsel

077c3e19ea...6b.elf

ubuntu-18.04-amd64

077c3e19ea...6b.elf

debian-9-armhf

077c3e19ea...6b.elf

debian-9-mips

077c3e19ea...6b.elf

debian-9-mipsel

078981526f...f6.exe

windows7-x64

9

078981526f...f6.exe

windows10-2004-x64

9

07e5ccafd9...ab.exe

windows7-x64

10

07e5ccafd9...ab.exe

windows10-2004-x64

10

0932f5d800...16.exe

windows7-x64

10

0932f5d800...16.exe

windows10-2004-x64

10

096a3baa4b...75.exe

windows7-x64

6

096a3baa4b...75.exe

windows10-2004-x64

10

0993d4c07d...3e.exe

windows7-x64

10

0993d4c07d...3e.exe

windows10-2004-x64

10

Resubmissions

23-02-2024 03:45

240223-ea6qpsaf9t 10

23-02-2024 02:03

240223-cg4htahg5x 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5dcfac410a8ac5371ec25cbf19002209f1d52c7429ea992e2efd965ff55d4fa9

  • Size

    285.1MB

  • Sample

    240223-cg4htahg5x

  • MD5

    be703c491575eecc60d4cbd09c3205e3

  • SHA1

    69aad609e9e6621bd83881d116adeeba72f77249

  • SHA256

    5dcfac410a8ac5371ec25cbf19002209f1d52c7429ea992e2efd965ff55d4fa9

  • SHA512

    610f0c81ea41b8ab884a27a30374ed6642e2e07d59b575f8c10b94b360f61437b7e1b1b2b853dce12351dd83d9d6f45a900605dada6c35521ea9c8e9655955ae

  • SSDEEP

    6291456:ELXxkOxmKeHhrX/CNQMH5QeV1ubbxbuRi2zer2FoIxIlPUHDIy:gpxDeB8F5QhHx72zeUoI6q0y

Score
10/10
agentteslaamadeydcratgafgytmirainanocorenjratrevengeratriseproslockerstealczgratbotnethackedlzrdmirainyan catnyancatrevengesoraunstunstablewickedлошокbotnetdiscoveryevasioninfostealerkeyloggerlinuxmacromacro_on_actionpersistencepyinstallerratspywarestealerthemidatrojanupx

Malware Config

Extracted

Family

mirai

Botnet

UNSTABLE

C2

unratio.funpass.services

scamanje.stresserit.pro

Extracted

Family

mirai

Botnet

WICKED

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot7013847015:AAGJ9U6sgMmsBCQ0DNkHT8DYuslAtpiqCbA/

Extracted

Family

gafgyt

C2

185.91.127.233:23

103.82.20.7:42516

93.123.39.166:671

Extracted

Family

mirai

Botnet

UNSTABLE

C2

unratio.funpass.services

scamanje.stresserit.pro

Extracted

Family

mirai

C2

scan.rebirthltd.dev

love.booter.cat

Extracted

Family

mirai

Botnet

WICKED

Extracted

Family

mirai

Botnet

BOTNET

C2

scan.rebirthltd.dev

194.169.175.31

Extracted

Family

mirai

Botnet

MIRAI

Extracted

Family

mirai

Botnet

UNST

Extracted

Family

njrat

Version

im523

Botnet

Hacked

C2

0.tcp.eu.ngrok.io:19599

Mutex

3a8ee47129614a8ed745ed44d22e4759

Attributes
  • reg_key

    3a8ee47129614a8ed745ed44d22e4759

  • splitter

    |'|'|

Extracted

Family

mirai

Botnet

UNSTABLE

C2

unratio.funpass.services

scamanje.stresserit.pro

Extracted

Family

mirai

Botnet

MIRAI

Extracted

Family

mirai

Botnet

UNSTABLE

C2

unratio.funpass.services

scamanje.stresserit.pro

Extracted

Family

revengerat

Botnet

NyanCatRevenge

C2

marcelotatuape.ddns.net:333

Mutex

13b150f8ef23499092

Extracted

Family

mirai

Botnet

WICKED

Extracted

Family

mirai

C2

scamanje.stresserit.pro

Extracted

Family

mirai

Botnet

WICKED

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

patria.duckdns.org:1998

Mutex

85f10a8a09aa4

Attributes
  • reg_key

    85f10a8a09aa4

  • splitter

    @!#&^%$

Extracted

Family

mirai

Botnet

WICKED

Extracted

Family

mirai

Botnet

MIRAI

Extracted

Family

mirai

Botnet

UNSTABLE

C2

unratio.funpass.services

scamanje.stresserit.pro

Extracted

Family

mirai

Botnet

UNSTABLE

C2

unratio.funpass.services

scamanje.stresserit.pro

Extracted

Family

mirai

Botnet

WICKED

Extracted

Family

nanocore

Version

1.2.2.0

C2

0.tcp.ngrok.io:18237

127.0.0.1:18237
Mutex

25d94285-e644-4394-8a59-361d828035f4

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    127.0.0.1

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2023-11-29T08:14:25.249811736Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    3988

  • connection_port

    18237

  • default_group

    Default

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    25d94285-e644-4394-8a59-361d828035f4

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    0.tcp.ngrok.io

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    false

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Extracted

Family

amadey

Version

4.18

C2

http://147.45.47.35

Attributes
  • install_dir

    0a25b59f74

  • install_file

    Dctooux.exe

  • strings_key

    57658e7aa84093060e0ebefa5ad4aa45

  • url_paths

    /bDjkb2xSd/index.php

rc4.plain

Extracted

Family

mirai

Botnet

LZRD

Extracted

Family

njrat

Version

0.7d

Botnet

Hacked

C2

amma.myftp.biz:1177

Mutex

5067798511594293a736c9b0b92fa333

Attributes
  • reg_key

    5067798511594293a736c9b0b92fa333

  • splitter

    |'|'|

Extracted

Family

mirai

Botnet

SORA

Extracted

Family

mirai

Botnet

SORA

Extracted

Family

amadey

Version

4.18

C2

http://147.45.47.35

Attributes
  • strings_key

    57658e7aa84093060e0ebefa5ad4aa45

  • url_paths

    /bDjkb2xSd/index.php

rc4.plain

Extracted

Family

njrat

Version

im523

Botnet

Лошок

C2

5.tcp.eu.ngrok.io:13326

Mutex

1c7d94c93e29463dd3914e19ee6714b6

Attributes
  • reg_key

    1c7d94c93e29463dd3914e19ee6714b6

  • splitter

    |'|'|

Extracted

Family

mirai

Botnet

LZRD

Extracted

Family

mirai

Botnet

BOTNET

C2

scan.rebirthltd.dev

194.169.175.31

Extracted

Family

mirai

Botnet

SORA

Extracted

Family

risepro

C2

193.233.132.18:50500

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.ionos.com
  • Port:
    587
  • Username:
    allmail@emisafe.ae
  • Password:
    S@fetyServicesGr0up

Extracted

Family

stealc

C2

http://185.172.128.145

Attributes
  • url_path

    /3cd2b41cbde8fc9c.php

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.2sautomobile.com
  • Port:
    587
  • Username:
    contact@2sautomobile.com
  • Password:
    Kenzi051008

Targets

    • Target

      00decd06732fecef7a4c6db953d90a9fc76b9ad9ed2b8e183a07a365c45254c0.vbs

    • Size

      9KB

    • MD5

      d2a2d34acb027afc3b36960d398a909f

    • SHA1

      60c7adcd3ca1831961635409e1ede4c7a088c105

    • SHA256

      00decd06732fecef7a4c6db953d90a9fc76b9ad9ed2b8e183a07a365c45254c0

    • SHA512

      2ae8d75ac7d37716c8ae6a56043011490c8d60270056f8b55ed7048d996c90c0155572fd22d8a7f96de9760a200e24886a3c27265cedc0ffd4fe670c97eb0934

    • SSDEEP

      192:JtzOv8hyM8vUkovNuW2UOLoP8wb4+bgvp9IaNWXNkYpN:vKv8MJvtoVuWdOy8wZgvQaNWXNkc

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral1behavioral2

    • Target

      016005310b52d074fae59ca6682bd047ffe909f2849122ea0181c26ad2da41cb.elf

    • Size

      72KB

    • MD5

      ff2986c0ae9f76f395a03eb041d3f736

    • SHA1

      cd72af507c7d47b5765d94028e8b1284010f4a24

    • SHA256

      016005310b52d074fae59ca6682bd047ffe909f2849122ea0181c26ad2da41cb

    • SHA512

      e4bbcc096bc3eccc094f700937844fd0f0d29054368b41c9041841ef7c6255e72b1c5be5c3d67668cdfd965babc2ac56a9cb1e33d0eb9afb2a16bd99dda6fefc

    • SSDEEP

      1536:XNQb3EPdjmfX41gPEe/yWhxwZcJebovZ9AsUmJ:X+EVKfXlp/ynZOebmZ9AsJ

    Score
    7/10

    • Changes its process name

    • Modifies Watchdog functionality

      Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Writes file to system bin folder

    behavioral3

    • Target

      0282cdf346cafd7c63e35926443f388a18de964f07a3db45a88270e8d09f697d.elf

    • Size

      1KB

    • MD5

      1cfd5038ef18407a519c84685ce20384

    • SHA1

      0783e8b9f3562a2cdeea0e8aeaa8daabc366892e

    • SHA256

      0282cdf346cafd7c63e35926443f388a18de964f07a3db45a88270e8d09f697d

    • SHA512

      53589a04c954e21f15604a9aad33719c1bf25c669b927b3e17d8d2571f26f38828620f1e4517f1467f399da1c3f1784a1551070a938e8940093b0155c5308749

    Score
    10/10
    dcratgafgytmirairevengeratzgratlzrdmirainyancatrevengeunstablewickedbotnetinfostealerratthemidatrojanupx

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Detect ZGRat V1

    • Detected Gafgyt variant

    • Gafgyt/Bashlite

      IoT botnet with numerous variants first seen in 2014.

      botnetgafgyt

    • Mirai

      Mirai is a prevalent Linux malware infecting exposed network devices.

      botnetmirai

    • RevengeRAT

      Remote-access trojan with a wide range of capabilities.

      trojanrevengerat

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Requests dangerous framework permissions

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    behavioral4behavioral5behavioral6behavioral7

    • Target

      02a690404a3d82ed7aef87f8518cac02809384d6b0550a36fc837c8552255d3d.exe

    • Size

      729KB

    • MD5

      04f44a0cce98b16a0c4154119ff88cd6

    • SHA1

      53a796d684447e0cffe437b63d7236e503bb1d6e

    • SHA256

      02a690404a3d82ed7aef87f8518cac02809384d6b0550a36fc837c8552255d3d

    • SHA512

      8950f5b3890831fed68d2ab77f1dc3cd1d65bac12457034fff61b436e7705ee848d943ee483cd24528613f52d96a8c332a434cf4d07737a9587763706a9a5e2a

    • SSDEEP

      12288:VoQTSA724UTlWqIXMnAg7RRlbOh9wiLUwvrff7sgB2Z9Lm+MHlAKutxvz3:Dt24U0ZXMnAqRPe9NzTYjHH

    Score
    10/10
    agentteslazgratkeyloggerpersistenceratspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Detect ZGRat V1

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral8behavioral9

    • Target

      02e3a95647684ad0501b2e25d0ff6afe117e8ae38c892f3416f174baafb8445d.exe

    • Size

      711KB

    • MD5

      16c22a22eb98a3cb543514a4a71ea92c

    • SHA1

      9d9297fe778b5e485dd9fe38c8dbd177adafb7fa

    • SHA256

      02e3a95647684ad0501b2e25d0ff6afe117e8ae38c892f3416f174baafb8445d

    • SHA512

      e6cab8cf8907b0349dde2f4225798fe30d2e6b5d016d1639f4f709574e0095dbee5551f1ca3afd97f524075358de8e88d3eb15dca6c4b124bf90dcbb213d3b0d

    • SSDEEP

      12288:H8UxY98c7opDyVSYQ1Qurh5kiXrq4e3f/0b19c0R0MuC2iN:H8ePpwQ1F5nrq4evsbOMuC1

    Score
    10/10
    agentteslakeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral10behavioral11

    • Target

      0386b038402a99ab607a9b0ceb469d25f563f34b3d5c1548751c6b9c7843e653.elf

    • Size

      32KB

    • MD5

      2410204f5823ec8d239fd077c05ba5d9

    • SHA1

      6eaa18651f42c100448acd198c0817913d95a1c0

    • SHA256

      0386b038402a99ab607a9b0ceb469d25f563f34b3d5c1548751c6b9c7843e653

    • SHA512

      ec27cc1e066232928a8b548f874f8faa649b7685e3e012c619ab979d496b6e7cbd97a402b80e40966e0237bb3dec539a821b0079a41c072fd101e01afa1ee76e

    • SSDEEP

      768:2oiWiO031vpAPbrVWZK3XVGxm9XUSG99q3UEL5IK:2orm1vpALgUJUSGQLx

    Score
    10/10
    amadeydcratgafgytmirainjratzgrathackedlzrdmirainyan catsoraunstablewickedbotnetinfostealerrattrojanupx

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Detect ZGRat V1

    • Detected Gafgyt variant

    • Gafgyt/Bashlite

      IoT botnet with numerous variants first seen in 2014.

      botnetgafgyt

    • Mirai

      Mirai is a prevalent Linux malware infecting exposed network devices.

      botnetmirai

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    behavioral12

    • Target

      039cf1e827f8a2bcf066d1b64e92b333a5973fe9ada6c0f6a6bef4020925355b.exe

    • Size

      1.1MB

    • MD5

      43e749d37e86bded763f7fb1b7b3cb06

    • SHA1

      8979cf333b073a45cb5a7ce9444652b7f7b273ba

    • SHA256

      039cf1e827f8a2bcf066d1b64e92b333a5973fe9ada6c0f6a6bef4020925355b

    • SHA512

      97ade5e78a31cfafb5173183f8420c6fc248ebf260e200b49cb6e7d7f3f7e30c53dc6c10a71ff4cdd022533856eda65081cf844da54b7064c2dcd60f7b95f6b0

    • SSDEEP

      24576:IRmJkcoQricOIQxiZY1iaqjy+ZdZ84VeVhqHWm6HTVYBJ0:tJZoQrbTFZY1iaqjbZX84OhqHXI1

    Score
    10/10
    agentteslakeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

    behavioral13behavioral14

    • Target

      04854dadf5950eb39709f2cd5ab2844f79490ac0ae58d71ca46cca479031ff5c.elf

    • Size

      57KB

    • MD5

      df0508162f499f76dd2ae4fdee3a9370

    • SHA1

      061a19ad5b708b30990f4c6ceb281229c730f246

    • SHA256

      04854dadf5950eb39709f2cd5ab2844f79490ac0ae58d71ca46cca479031ff5c

    • SHA512

      336a2c85ec37ca695a022b35aeb2ef989eae6e24acae04ec01ccf37df5dc888df33a7264409fbd55695ebc081983ba4652ffab02be9924c4d38225f21864a01a

    • SSDEEP

      768:zlTiyMMIcxEpTXnRnoHoHPnmb4lGFpWXtA78i:zAyMMKjnOHofhGe9A78i

    Score
    1/10
    behavioral15behavioral16behavioral17behavioral18

    • Target

      077c3e19eacd87bf8ff3af56734434a989788ed52b20af77a6a2f89f5a1a986b.elf

    • Size

      78KB

    • MD5

      58d5c3db4bf181e19376edd2c4a2556c

    • SHA1

      1cf2793418619a7545bc78356a08009f4e834842

    • SHA256

      077c3e19eacd87bf8ff3af56734434a989788ed52b20af77a6a2f89f5a1a986b

    • SHA512

      3d99233b3902f8c839926263b05428b14b89146008aed4c8f2c4325e5c92c7c19638791fe42f5133ab6a6b8b86db57ef018bedd33493c1e01466b1cd92b10fc9

    • SSDEEP

      1536:LecvZ1h6c3UBUAq+9bKRyu5ePslkGHSesujvOT:LeKkBhq+9be8bASeHjWT

    Score
    1/10
    behavioral19behavioral20behavioral21behavioral22

    • Target

      078981526fd0969e928c1b785c9e1da97ff159248dabf04132ea8fab9347acf6.exe

    • Size

      2.4MB

    • MD5

      a6920289f8f1fb4703affb99f7f3b81e

    • SHA1

      acfdbe080c8d33b1dad1926a09dd503a8cf538b5

    • SHA256

      078981526fd0969e928c1b785c9e1da97ff159248dabf04132ea8fab9347acf6

    • SHA512

      72c6c0463bb71432c683be28f95c5e195f802c3be2df8802ad780a1ddb5cd74c709c2855e20e436c510716088e1a233c11505d2f8465a926334f34674967eac2

    • SSDEEP

      49152:DiG7qkCfG92E6pCeNET1yww+6jbNGyBq4rRN6WjQWg95fg:DiLffG9P6zNE56+6dGy84zPmi

    Score
    9/10
    evasionthemidatrojan

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral23behavioral24

    • Target

      07e5ccafd9ac5416dce0c5c04eba91ba647cb00fdac7fb67b11b1d42729beeab.exe

    • Size

      2.2MB

    • MD5

      55470a6d684af54249ce25a19b8eda1b

    • SHA1

      a5288548f25b4095ba96dc9fddca2c0b0671a19d

    • SHA256

      07e5ccafd9ac5416dce0c5c04eba91ba647cb00fdac7fb67b11b1d42729beeab

    • SHA512

      6ed90eeb1ed7e3d2673061c9304cf3e24954e94a22824d53838ca119c783e65323eef7a00645d231bf9dfda9d58412e9eb8a50a91cc5e5fa405c4bf34ab27d5d

    • SSDEEP

      49152:Z6uyZeTcvTGT42EXFhroNMd1WvyBZ08vSfPSHIl20cQ:Z6uyZeTnT0XFhroQA2vUPh5

    Score
    10/10
    riseprostealer

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • Suspicious use of SetThreadContext

    behavioral25behavioral26

    • Target

      0932f5d800ebb0e22e6323f1e64bdf3b6125b2e9b205d9f333f1857da72d7516.exe

    • Size

      244KB

    • MD5

      fdaeb38d218c4f6b021b92165086aa83

    • SHA1

      c8fc159faa5177afd4f166df129b06399e3f943b

    • SHA256

      0932f5d800ebb0e22e6323f1e64bdf3b6125b2e9b205d9f333f1857da72d7516

    • SHA512

      40b7db87f685b6a748b365a237b54d909a0bdd628ed516e8685db3d9078ddcb155fa2c9ceabdd9dfec1a64ae1425711a6a528a5fc5db48de06954f6ec03544b7

    • SSDEEP

      3072:MYqrkzLrTjIb6ldbp7tbS5IQR5Dz/0C1kyOlb:MYqrkzLrTjIb6lHte5IE/LmyO

    Score
    10/10
    agentteslakeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral27behavioral28

    • Target

      096a3baa4ba3d03b673524a281f63fa16e15a7880e5174a8679db9193eb48a75.exe

    • Size

      28KB

    • MD5

      9e9bbdca2a035d2e5503d1c180fc5695

    • SHA1

      f0a89a2568f653a5a66f71640a26da2f3553acce

    • SHA256

      096a3baa4ba3d03b673524a281f63fa16e15a7880e5174a8679db9193eb48a75

    • SHA512

      9ed9b1c9bc6e6ba2b61afc4faf35a3d75d258456d14ef03b06d269ec3895267c5e2703a9f4f9dbcbc29ff3cbcee0d3734a946b3281912afb27586dcff2505d68

    • SSDEEP

      384:AndtRcWJiFCzBQYD84eaFs9whv1gNVwPdFQH4P4A/QO6zK8NTc81HVu+zPZ/9Dwv:QAFEBQYA5XK6ezQH28lpVfzP5dwv

    Score
    10/10
    agenttesladiscoverykeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Contacts a large (4611) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

      discovery

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral29behavioral30

    • Target

      0993d4c07d308fe8dffae59c2bcea46471d87eb128e0212a295941bd7703733e.exe

    • Size

      182KB

    • MD5

      5239ca020f7751e9d634bd89366d2ed3

    • SHA1

      d2d782542151f94574e91d0967f9ec5edfe3ed7d

    • SHA256

      0993d4c07d308fe8dffae59c2bcea46471d87eb128e0212a295941bd7703733e

    • SHA512

      819bf6cfcda3e490cd59d77bed2db82017b113dfa24dd69d45cab6801f7aba0ce2e51a341c4990648b23a4bbc571ad8dfd27f347dc899967ba8e3360c9745724

    • SSDEEP

      3072:VH+kVcxpOIWfCQgwLpOx9uF79AklwKx4PlIGi:gf7OIaCodOWhhx4u

    Score
    10/10
    stealcdiscoveryspywarestealer

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • Downloads MZ/PE file

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral31behavioral32

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Hijack Execution Flow

1
T1574

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Hijack Execution Flow

1
T1574

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Impair Defenses

1
T1562

Hijack Execution Flow

1
T1574

Modify Registry

2
T1112

Virtualization/Sandbox Evasion

1
T1497

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Unsecured Credentials

11
T1552

Credentials In Files

9
T1552.001

Credentials in Registry

2
T1552.002

Discovery

Query Registry

5
T1012

System Information Discovery

7
T1082

Virtualization/Sandbox Evasion

1
T1497

Network Service Discovery

2
T1046

Lateral Movement

Collection

Data from Local System

11
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks

static1

unstableupxwickedthemidabotnetmiraiunstmacrohackedmacro_on_actionnyancatrevengenyan catratlzrdsorapyinstallerлошокmiraiagentteslagafgytzgratnjratrevengeratdcratnanocoreamadeyslocker
Score
10/10

behavioral1

Score
3/10

behavioral2

Score
7/10

behavioral3

Score
7/10

behavioral4

Score
1/10

behavioral5

Score
1/10

behavioral6

Score
1/10

behavioral7

dcratgafgytmirairevengeratzgratlzrdmirainyancatrevengeunstablewickedbotnetinfostealerratthemidatrojanupx
Score
10/10

behavioral8

agentteslazgratkeyloggerpersistenceratspywarestealertrojan
Score
10/10

behavioral9

agentteslazgratkeyloggerpersistenceratspywarestealertrojan
Score
10/10

behavioral10

agentteslakeyloggerspywarestealertrojan
Score
10/10

behavioral11

agentteslakeyloggerspywarestealertrojan
Score
10/10

behavioral12

amadeydcratgafgytmirainjratzgrathackedlzrdmirainyan catsoraunstablewickedbotnetinfostealerrattrojanupx
Score
10/10

behavioral13

agentteslakeyloggerspywarestealertrojan
Score
10/10

behavioral14

Score
3/10

behavioral15

Score
1/10

behavioral16

Score
1/10

behavioral17

Score
1/10

behavioral18

Score
1/10

behavioral19

Score
1/10

behavioral20

Score
1/10

behavioral21

Score
1/10

behavioral22

Score
1/10

behavioral23

evasionthemidatrojan
Score
9/10

behavioral24

evasionthemidatrojan
Score
9/10

behavioral25

riseprostealer
Score
10/10

behavioral26

riseprostealer
Score
10/10

behavioral27

agentteslakeyloggerspywarestealertrojan
Score
10/10

behavioral28

agentteslakeyloggerspywarestealertrojan
Score
10/10

behavioral29

Score
6/10

behavioral30

agenttesladiscoverykeyloggerspywarestealertrojan
Score
10/10

behavioral31

stealcdiscoveryspywarestealer
Score
10/10

behavioral32

stealcdiscoveryspywarestealer
Score
10/10