General

  • Target

    Guna.UI2.zip

  • Size

    1.5MB

  • Sample

    240503-y6gagahd69

  • MD5

    13c38a4a61bd39abf359c42b5d9d435e

  • SHA1

    a0f4787fea328cadd9660ac59833e2fc962f33d4

  • SHA256

    bdc3e7b82f588c310abb60269f939febba49294a7ccee3fdcf5302883c5c12d6

  • SHA512

    6964437494d80557b032ab8184475cf250c7e2206d1f9975d2b420c4f11e3168627c9067b832e60a80f37ecac3406b0e5987b0a805aaeb9696172d0676bb9946

  • SSDEEP

    24576:vkPAL8N9Bs8YqGyWSBrsp/TyJrR/APhbXXKPhfLNr32FcKsHuJXW4QKkFqa:vkPAL2ZYMYp0BQ2PhfxrmFcKsP8kga

Malware Config

Targets

    • Target

      Guna.UI2.zip

    • Size

      1.5MB

    • MD5

      13c38a4a61bd39abf359c42b5d9d435e

    • SHA1

      a0f4787fea328cadd9660ac59833e2fc962f33d4

    • SHA256

      bdc3e7b82f588c310abb60269f939febba49294a7ccee3fdcf5302883c5c12d6

    • SHA512

      6964437494d80557b032ab8184475cf250c7e2206d1f9975d2b420c4f11e3168627c9067b832e60a80f37ecac3406b0e5987b0a805aaeb9696172d0676bb9946

    • SSDEEP

      24576:vkPAL8N9Bs8YqGyWSBrsp/TyJrR/APhbXXKPhfLNr32FcKsHuJXW4QKkFqa:vkPAL2ZYMYp0BQ2PhfxrmFcKsP8kga

    Score
    1/10
    • Target

      Guna.UI2.dll

    • Size

      2.1MB

    • MD5

      c19e9e6a4bc1b668d19505a0437e7f7e

    • SHA1

      73be712aef4baa6e9dabfc237b5c039f62a847fa

    • SHA256

      9ac8b65e5c13292a8e564187c1e7446adc4230228b669383bd7b07035ab99a82

    • SHA512

      b6cd0af436459f35a97db2d928120c53d3691533b01e4f0e8b382f2bd81d9a9a2c57e5e2aa6ade9d6a1746d5c4b2ef6c88d3a0cf519424b34445d0d30aab61de

    • SSDEEP

      49152:6QNztBO2+VN7N3HtnPhx70ZO4+CPXOn5PThDH2TBeHjvjiBckYf+Yh/FJ3:6Ahck2z

    Score
    1/10
    • Target

      Newtonsoft.Json.dll

    • Size

      695KB

    • MD5

      195ffb7167db3219b217c4fd439eedd6

    • SHA1

      1e76e6099570ede620b76ed47cf8d03a936d49f8

    • SHA256

      e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

    • SHA512

      56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

    • SSDEEP

      12288:GBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUO:GBjk38WuBcAbwoA/BkjSHXP36RMG/

    Score
    1/10
    • Target

      Newtonsoft.Json.xml

    • Size

      696KB

    • MD5

      d398ffe9fdac6a53a8d8bb26f29bbb3c

    • SHA1

      bffceebb85ca40809e8bcf5941571858e0e0cb31

    • SHA256

      79ee87d4ede8783461de05b93379d576f6e8575d4ab49359f15897a854b643c4

    • SHA512

      7db8aac5ff9b7a202a00d8acebce85df14a7af76b72480921c96b6e01707416596721afa1fa1a9a0563bf528df3436155abc15687b1fee282f30ddcc0ddb9db7

    • SSDEEP

      6144:XqqU+k/Rik5aG0rH3jGHdl0/IdHXpgVIeR0R+CRFo9TA82m5Kj+sJjoqoyO185QA:DU1

    Score
    1/10
    • Target

      RocketTitles.exe

    • Size

      464KB

    • MD5

      bbe823f014a8c096fdc9716a18929faa

    • SHA1

      0ceb43841a339c2968ea17da76ab9c889e7a80f6

    • SHA256

      7795617b9288dfffb6fcfcdb4fb1be7945ffdd05eb72a79650c686f8fea6a778

    • SHA512

      5799b27c06a8ff42ec493a90787318e0e784261a08eae35e60d7ac75f47dae17bdeb9627793324d228f5597e6519c980843e30e621b2fce269b5b62cf36ff2dd

    • SSDEEP

      12288:Tizs0QrkDUyTfvqCT/4k2QjqGpNBOewDlA:TPIDR3qCr4khqGrUtDlA

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Detect Umbral payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • AgentTesla payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      RocketTitles.exe.config

    • Size

      189B

    • MD5

      9dbad5517b46f41dbb0d8780b20ab87e

    • SHA1

      ef6aef0b1ea5d01b6e088a8bf2f429773c04ba5e

    • SHA256

      47e5a0f101af4151d7f13d2d6bfa9b847d5b5e4a98d1f4674b7c015772746cdf

    • SHA512

      43825f5c26c54e1fc5bffcce30caad1449a28c0c9a9432e9ce17d255f8bf6057c1a1002d9471e5b654ab1de08fb6eabf96302cdb3e0fb4b63ba0ff186e903be8

    Score
    3/10
    • Target

      RocketTitles.pdb

    • Size

      177KB

    • MD5

      d855f7fd29c8b7dc55f8a2e297320c3e

    • SHA1

      a20f283617352184ee5c2bed4ae4b97fe0dae091

    • SHA256

      8b5f1300036b0a540858875ccf4f828fd8c4f1d4dc689027f3e7e7360ab60bc9

    • SHA512

      02abd65bbd05144be56f3fcd260c89adcc75fc6f358e434206bdf7a8c2cd9b2cc3e72bc14d423f6c66da0f34952b862deb0f0f41b8a64dee67358f28b1d288f6

    • SSDEEP

      3072:FQsI+n4wqd1lRLD42BiqeETIP20QFzTsS00r32CiaqpIPR0QFzTsS00r32wi:y+n4wS1lRD42teETIP20QFzTsS00r3Oa

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks