General
-
Target
RocketTitles.zip
-
Size
1.5MB
-
Sample
240503-zc7e8shf38
-
MD5
a243a7da60e95a786fb6376fa5cb332a
-
SHA1
cae86252fbff2fd4f6daec63d5fe28d798e84aaa
-
SHA256
8e6729406d758aa5a077694bee08334d88b594bf718a552a595a5678451051bc
-
SHA512
f2bebb2ce9290684bea1a6587a80a1598efa31436e8a959692a017a14fe729a41e4faabc9544a2117e0376c9522fc0b75a50753068c91e75781eea50f63c0599
-
SSDEEP
24576:vkPAL8N9Bs8YqGyWSBrsp/TyJrR/APhbXXKPh8w465B8LKSBHLO:vkPAL2ZYMYp0BQ2PhbF5GLKS1O
Behavioral task
behavioral1
Sample
Guna.UI2.dll
Resource
win10v2004-20240419-en
Behavioral task
behavioral2
Sample
Newtonsoft.Json.dll
Resource
win10v2004-20240419-en
Malware Config
Targets
-
-
Target
Guna.UI2.dll
-
Size
2.1MB
-
MD5
c19e9e6a4bc1b668d19505a0437e7f7e
-
SHA1
73be712aef4baa6e9dabfc237b5c039f62a847fa
-
SHA256
9ac8b65e5c13292a8e564187c1e7446adc4230228b669383bd7b07035ab99a82
-
SHA512
b6cd0af436459f35a97db2d928120c53d3691533b01e4f0e8b382f2bd81d9a9a2c57e5e2aa6ade9d6a1746d5c4b2ef6c88d3a0cf519424b34445d0d30aab61de
-
SSDEEP
49152:6QNztBO2+VN7N3HtnPhx70ZO4+CPXOn5PThDH2TBeHjvjiBckYf+Yh/FJ3:6Ahck2z
Score1/10 -
-
-
Target
Newtonsoft.Json.dll
-
Size
695KB
-
MD5
195ffb7167db3219b217c4fd439eedd6
-
SHA1
1e76e6099570ede620b76ed47cf8d03a936d49f8
-
SHA256
e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d
-
SHA512
56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac
-
SSDEEP
12288:GBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUO:GBjk38WuBcAbwoA/BkjSHXP36RMG/
Score1/10 -
-
-
Target
RocketTitles.exe
-
Size
464KB
-
MD5
85fc15eec7b28009db149df08f48a345
-
SHA1
31ba87ded6a53820cb93dd7ecd913a7e0f895866
-
SHA256
f959451391fd4bd257bddcec4d1ff4dcd5c0350d0748862437af5c1254020211
-
SHA512
3b5b8988c89df153d8b2f70dbd4f838c3b82eb9065c6963c35e77c88d5497bf9c934b1a8a1c3a85170cada8a726b8e7390428bf470933493760c32b5f8912d7f
-
SSDEEP
12288:Ihi0QGkDUyTfvqCT/4k2QjqGpNBOewDle:IUjDR3qCr4khqGrUtDle
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect Umbral payload
-
AgentTesla payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-