agenttesla

General

Target

NiptuneRAT-main.zip
Size

29.9MB
Sample

240317-1jw4hsgg43
MD5

5602885050f75519abfe95d7501fc5b6
SHA1

54214aa8b1a4d5e2692594ba4dea973e740e2c55
SHA256

5b054b368eda8d148383e6a64d890b885d9a0b1898493e1008ffe1a531118b6b
SHA512

7077ede3acc4b774181ff0866eeb5eb2672cdf2409384b2d46b45f8e182f3fc91bb65788c25bacc8af473a3083cc6bbbd73f5d4646b6f0fe2fb3e850c5eab7b2
SSDEEP

786432:IcRNogA1jwkC0OGikNuziqXkY0Ut79NhU8odVsGmtfIC884StIC0Q5k:IcRNojskhms5G0UsVoNIzxC0Qi

Score

10^/10

Malware Config

Extracted

Family

arrowrat

Botnet

identifier

C2

IP:PORT

Mutex

mutex

Extracted

Language

ps1

Source

URLs

exe.dropper

https://github.com/z77f/362973/raw/main/$77APCONSVC.EXE

exe.dropper

https://raw.githubusercontent.com/ninhpn1337/Disable-Windows-Defender/main/source.bat

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:1337

Mutex

6רbץbZPtBΒ西勒NDME4f斯贼j

Attributes

delay
1
install
true
install_file
$77.exe
install_folder
%AppData%

aes.plain

Extracted

Path

C:\Users\Admin\Desktop\pp.anarh.txt

Ransom Note

Windows has encountered a problem communicating with a device connected to your computer. This error can be caused by unplugging a removable storage device such as an external USB drive while the device is in use, or by faulty hardware such as a hard drive or CD-ROM drive that is failing. You may cancel the drive check, but it is strongly recommended that you continue. If you continue to receive this this error message, wait for the hard drive check to finish and contact the hardware manufacturer. Windows will now check the drive... ALL YOUR FILES HAVE BEEN ENCRYPTED Your hard drives have been encrypted with military-grade encryption. The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To get a unique key, write to us: Email: [email protected] If you already purchased your key, please enter it below!

Emails

[email protected]

Targets

- Target
  
  NiptuneRAT-main.zip
- Size
  
  29.9MB
- MD5
  
  5602885050f75519abfe95d7501fc5b6
- SHA1
  
  54214aa8b1a4d5e2692594ba4dea973e740e2c55
- SHA256
  
  5b054b368eda8d148383e6a64d890b885d9a0b1898493e1008ffe1a531118b6b
- SHA512
  
  7077ede3acc4b774181ff0866eeb5eb2672cdf2409384b2d46b45f8e182f3fc91bb65788c25bacc8af473a3083cc6bbbd73f5d4646b6f0fe2fb3e850c5eab7b2
- SSDEEP
  
  786432:IcRNogA1jwkC0OGikNuziqXkY0Ut79NhU8odVsGmtfIC884StIC0Q5k:IcRNojskhms5G0UsVoNIzxC0Qi
Score

10^/10

agenttesla asyncrat xworm default agilenet keylogger rat spyware stealer trojan ransomware
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Detect Xworm Payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- AgentTesla payload
- Async RAT payload
  rat
- Grants admin privileges
  Uses net.exe to modify the user's privileges.
- Blocklisted process makes network request
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2 behavioral3 behavioral4