General

  • Target

    RocketTitles.zip

  • Size

    1.5MB

  • Sample

    240503-zc7e8shf38

  • MD5

    a243a7da60e95a786fb6376fa5cb332a

  • SHA1

    cae86252fbff2fd4f6daec63d5fe28d798e84aaa

  • SHA256

    8e6729406d758aa5a077694bee08334d88b594bf718a552a595a5678451051bc

  • SHA512

    f2bebb2ce9290684bea1a6587a80a1598efa31436e8a959692a017a14fe729a41e4faabc9544a2117e0376c9522fc0b75a50753068c91e75781eea50f63c0599

  • SSDEEP

    24576:vkPAL8N9Bs8YqGyWSBrsp/TyJrR/APhbXXKPh8w465B8LKSBHLO:vkPAL2ZYMYp0BQ2PhbF5GLKS1O

Malware Config

Targets

    • Target

      Guna.UI2.dll

    • Size

      2.1MB

    • MD5

      c19e9e6a4bc1b668d19505a0437e7f7e

    • SHA1

      73be712aef4baa6e9dabfc237b5c039f62a847fa

    • SHA256

      9ac8b65e5c13292a8e564187c1e7446adc4230228b669383bd7b07035ab99a82

    • SHA512

      b6cd0af436459f35a97db2d928120c53d3691533b01e4f0e8b382f2bd81d9a9a2c57e5e2aa6ade9d6a1746d5c4b2ef6c88d3a0cf519424b34445d0d30aab61de

    • SSDEEP

      49152:6QNztBO2+VN7N3HtnPhx70ZO4+CPXOn5PThDH2TBeHjvjiBckYf+Yh/FJ3:6Ahck2z

    Score
    1/10
    • Target

      Newtonsoft.Json.dll

    • Size

      695KB

    • MD5

      195ffb7167db3219b217c4fd439eedd6

    • SHA1

      1e76e6099570ede620b76ed47cf8d03a936d49f8

    • SHA256

      e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

    • SHA512

      56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

    • SSDEEP

      12288:GBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUO:GBjk38WuBcAbwoA/BkjSHXP36RMG/

    Score
    1/10
    • Target

      RocketTitles.exe

    • Size

      464KB

    • MD5

      85fc15eec7b28009db149df08f48a345

    • SHA1

      31ba87ded6a53820cb93dd7ecd913a7e0f895866

    • SHA256

      f959451391fd4bd257bddcec4d1ff4dcd5c0350d0748862437af5c1254020211

    • SHA512

      3b5b8988c89df153d8b2f70dbd4f838c3b82eb9065c6963c35e77c88d5497bf9c934b1a8a1c3a85170cada8a726b8e7390428bf470933493760c32b5f8912d7f

    • SSDEEP

      12288:Ihi0QGkDUyTfvqCT/4k2QjqGpNBOewDle:IUjDR3qCr4khqGrUtDle

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Detect Umbral payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • AgentTesla payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks