General
-
Target
Guna.UI2.zip
-
Size
1.5MB
-
Sample
240503-y6gagahd69
-
MD5
13c38a4a61bd39abf359c42b5d9d435e
-
SHA1
a0f4787fea328cadd9660ac59833e2fc962f33d4
-
SHA256
bdc3e7b82f588c310abb60269f939febba49294a7ccee3fdcf5302883c5c12d6
-
SHA512
6964437494d80557b032ab8184475cf250c7e2206d1f9975d2b420c4f11e3168627c9067b832e60a80f37ecac3406b0e5987b0a805aaeb9696172d0676bb9946
-
SSDEEP
24576:vkPAL8N9Bs8YqGyWSBrsp/TyJrR/APhbXXKPhfLNr32FcKsHuJXW4QKkFqa:vkPAL2ZYMYp0BQ2PhfxrmFcKsP8kga
Behavioral task
behavioral1
Sample
Guna.UI2.zip
Resource
win10v2004-20240226-en
Behavioral task
behavioral2
Sample
Guna.UI2.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Newtonsoft.Json.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral4
Sample
Newtonsoft.Json.xml
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
RocketTitles.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral6
Sample
RocketTitles.exe.config
Resource
win10v2004-20240419-en
Behavioral task
behavioral7
Sample
RocketTitles.pdb
Resource
win10v2004-20240426-en
Malware Config
Targets
-
-
Target
Guna.UI2.zip
-
Size
1.5MB
-
MD5
13c38a4a61bd39abf359c42b5d9d435e
-
SHA1
a0f4787fea328cadd9660ac59833e2fc962f33d4
-
SHA256
bdc3e7b82f588c310abb60269f939febba49294a7ccee3fdcf5302883c5c12d6
-
SHA512
6964437494d80557b032ab8184475cf250c7e2206d1f9975d2b420c4f11e3168627c9067b832e60a80f37ecac3406b0e5987b0a805aaeb9696172d0676bb9946
-
SSDEEP
24576:vkPAL8N9Bs8YqGyWSBrsp/TyJrR/APhbXXKPhfLNr32FcKsHuJXW4QKkFqa:vkPAL2ZYMYp0BQ2PhfxrmFcKsP8kga
Score1/10 -
-
-
Target
Guna.UI2.dll
-
Size
2.1MB
-
MD5
c19e9e6a4bc1b668d19505a0437e7f7e
-
SHA1
73be712aef4baa6e9dabfc237b5c039f62a847fa
-
SHA256
9ac8b65e5c13292a8e564187c1e7446adc4230228b669383bd7b07035ab99a82
-
SHA512
b6cd0af436459f35a97db2d928120c53d3691533b01e4f0e8b382f2bd81d9a9a2c57e5e2aa6ade9d6a1746d5c4b2ef6c88d3a0cf519424b34445d0d30aab61de
-
SSDEEP
49152:6QNztBO2+VN7N3HtnPhx70ZO4+CPXOn5PThDH2TBeHjvjiBckYf+Yh/FJ3:6Ahck2z
Score1/10 -
-
-
Target
Newtonsoft.Json.dll
-
Size
695KB
-
MD5
195ffb7167db3219b217c4fd439eedd6
-
SHA1
1e76e6099570ede620b76ed47cf8d03a936d49f8
-
SHA256
e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d
-
SHA512
56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac
-
SSDEEP
12288:GBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUO:GBjk38WuBcAbwoA/BkjSHXP36RMG/
Score1/10 -
-
-
Target
Newtonsoft.Json.xml
-
Size
696KB
-
MD5
d398ffe9fdac6a53a8d8bb26f29bbb3c
-
SHA1
bffceebb85ca40809e8bcf5941571858e0e0cb31
-
SHA256
79ee87d4ede8783461de05b93379d576f6e8575d4ab49359f15897a854b643c4
-
SHA512
7db8aac5ff9b7a202a00d8acebce85df14a7af76b72480921c96b6e01707416596721afa1fa1a9a0563bf528df3436155abc15687b1fee282f30ddcc0ddb9db7
-
SSDEEP
6144:XqqU+k/Rik5aG0rH3jGHdl0/IdHXpgVIeR0R+CRFo9TA82m5Kj+sJjoqoyO185QA:DU1
Score1/10 -
-
-
Target
RocketTitles.exe
-
Size
464KB
-
MD5
bbe823f014a8c096fdc9716a18929faa
-
SHA1
0ceb43841a339c2968ea17da76ab9c889e7a80f6
-
SHA256
7795617b9288dfffb6fcfcdb4fb1be7945ffdd05eb72a79650c686f8fea6a778
-
SHA512
5799b27c06a8ff42ec493a90787318e0e784261a08eae35e60d7ac75f47dae17bdeb9627793324d228f5597e6519c980843e30e621b2fce269b5b62cf36ff2dd
-
SSDEEP
12288:Tizs0QrkDUyTfvqCT/4k2QjqGpNBOewDlA:TPIDR3qCr4khqGrUtDlA
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect Umbral payload
-
AgentTesla payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
RocketTitles.exe.config
-
Size
189B
-
MD5
9dbad5517b46f41dbb0d8780b20ab87e
-
SHA1
ef6aef0b1ea5d01b6e088a8bf2f429773c04ba5e
-
SHA256
47e5a0f101af4151d7f13d2d6bfa9b847d5b5e4a98d1f4674b7c015772746cdf
-
SHA512
43825f5c26c54e1fc5bffcce30caad1449a28c0c9a9432e9ce17d255f8bf6057c1a1002d9471e5b654ab1de08fb6eabf96302cdb3e0fb4b63ba0ff186e903be8
Score3/10 -
-
-
Target
RocketTitles.pdb
-
Size
177KB
-
MD5
d855f7fd29c8b7dc55f8a2e297320c3e
-
SHA1
a20f283617352184ee5c2bed4ae4b97fe0dae091
-
SHA256
8b5f1300036b0a540858875ccf4f828fd8c4f1d4dc689027f3e7e7360ab60bc9
-
SHA512
02abd65bbd05144be56f3fcd260c89adcc75fc6f358e434206bdf7a8c2cd9b2cc3e72bc14d423f6c66da0f34952b862deb0f0f41b8a64dee67358f28b1d288f6
-
SSDEEP
3072:FQsI+n4wqd1lRLD42BiqeETIP20QFzTsS00r32CiaqpIPR0QFzTsS00r32wi:y+n4wS1lRD42teETIP20QFzTsS00r3Oa
Score3/10 -