General
-
Target
737bba8d3e9ad3e1526bf5949962af3b37107c80c767c473a820999eae507fbc.exe
-
Size
2.3MB
-
Sample
240421-knglmafc72
-
MD5
2784277bd68152abf75c6c6d59fab7af
-
SHA1
e1d047c97e3bdfe273b215b42eccde32ca2ca63f
-
SHA256
737bba8d3e9ad3e1526bf5949962af3b37107c80c767c473a820999eae507fbc
-
SHA512
e05b8251c9f6c59c7901d72c58f5b8c35dc376068368e67f81ee79da4287ddfc25c6ca5893d87944ed21c592bdd62f57d40a9f78c9af56762f33b010dd10b62c
-
SSDEEP
49152:T2Q8G4mSmM8sik/AJ+/GRfzlW+oCZBNKoiYNsVjGMFWm02qG6zSo2:T2VmT8B4JAGllW+DBNdtN811
Static task
static1
Behavioral task
behavioral1
Sample
737bba8d3e9ad3e1526bf5949962af3b37107c80c767c473a820999eae507fbc.exe
Resource
win7-20231129-en
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1225910337656590376/EwVP3wlMQgDXxoBxwLhaflFWF2WGja-17Tz3uwtoNirVyl9iU_nVCUsOrUJN46JTk-_-
Extracted
njrat
0.7d
HacKed
hakim32.ddns.net:2000
0.tcp.eu.ngrok.io:19177
62b7d4736043995d94b02f8790cef504
-
reg_key
62b7d4736043995d94b02f8790cef504
-
splitter
|'|'|
Targets
-
-
Target
737bba8d3e9ad3e1526bf5949962af3b37107c80c767c473a820999eae507fbc.exe
-
Size
2.3MB
-
MD5
2784277bd68152abf75c6c6d59fab7af
-
SHA1
e1d047c97e3bdfe273b215b42eccde32ca2ca63f
-
SHA256
737bba8d3e9ad3e1526bf5949962af3b37107c80c767c473a820999eae507fbc
-
SHA512
e05b8251c9f6c59c7901d72c58f5b8c35dc376068368e67f81ee79da4287ddfc25c6ca5893d87944ed21c592bdd62f57d40a9f78c9af56762f33b010dd10b62c
-
SSDEEP
49152:T2Q8G4mSmM8sik/AJ+/GRfzlW+oCZBNKoiYNsVjGMFWm02qG6zSo2:T2VmT8B4JAGllW+DBNdtN811
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect Umbral payload
-
AgentTesla payload
-
Drops file in Drivers directory
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-