General
-
Target
Newtonsoft.Json.zip
-
Size
1.5MB
-
Sample
240503-zh4xashg54
-
MD5
4ed0fb07a6f6eac3a8393f7e921469ad
-
SHA1
8a35522ee4037f4118666032ed19372a2d082a0c
-
SHA256
b7f491f401f7e55c8120d87d7f36eded59ca86e48b91dc7612df915c5fbdd755
-
SHA512
4452efaa59883a32925d66c025dc50d099d09e1539e0e378da7dfdcd62228e910ed9471efa4e53341ce4df339c0e6f1fb92e70e86542dd0ff6c275607014611a
-
SSDEEP
24576:vkPAL8N9Bs8YqGyWSBrsp/TyJrR/APhbXXKPhK+kUQh4zvoUSr03:vkPAL2ZYMYp0BQ2PhU477SU
Behavioral task
behavioral1
Sample
Newtonsoft.Json.zip
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
Guna.UI2.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Newtonsoft.Json.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral4
Sample
Newtonsoft.Json.xml
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
RocketTitles.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral6
Sample
RocketTitles.exe.config
Resource
win10v2004-20240419-en
Behavioral task
behavioral7
Sample
RocketTitles.pdb
Resource
win10v2004-20240419-en
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1236047504458518648/JQRxvzCGg9gVDBGAsCh4Y7lt6-VpyZJcpy_w2pc8Qwt0sZVsg3Znypp4Lv0kPFzHxpM9
Targets
-
-
Target
Newtonsoft.Json.zip
-
Size
1.5MB
-
MD5
4ed0fb07a6f6eac3a8393f7e921469ad
-
SHA1
8a35522ee4037f4118666032ed19372a2d082a0c
-
SHA256
b7f491f401f7e55c8120d87d7f36eded59ca86e48b91dc7612df915c5fbdd755
-
SHA512
4452efaa59883a32925d66c025dc50d099d09e1539e0e378da7dfdcd62228e910ed9471efa4e53341ce4df339c0e6f1fb92e70e86542dd0ff6c275607014611a
-
SSDEEP
24576:vkPAL8N9Bs8YqGyWSBrsp/TyJrR/APhbXXKPhK+kUQh4zvoUSr03:vkPAL2ZYMYp0BQ2PhU477SU
Score1/10 -
-
-
Target
Guna.UI2.dll
-
Size
2.1MB
-
MD5
c19e9e6a4bc1b668d19505a0437e7f7e
-
SHA1
73be712aef4baa6e9dabfc237b5c039f62a847fa
-
SHA256
9ac8b65e5c13292a8e564187c1e7446adc4230228b669383bd7b07035ab99a82
-
SHA512
b6cd0af436459f35a97db2d928120c53d3691533b01e4f0e8b382f2bd81d9a9a2c57e5e2aa6ade9d6a1746d5c4b2ef6c88d3a0cf519424b34445d0d30aab61de
-
SSDEEP
49152:6QNztBO2+VN7N3HtnPhx70ZO4+CPXOn5PThDH2TBeHjvjiBckYf+Yh/FJ3:6Ahck2z
Score1/10 -
-
-
Target
Newtonsoft.Json.dll
-
Size
695KB
-
MD5
195ffb7167db3219b217c4fd439eedd6
-
SHA1
1e76e6099570ede620b76ed47cf8d03a936d49f8
-
SHA256
e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d
-
SHA512
56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac
-
SSDEEP
12288:GBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUO:GBjk38WuBcAbwoA/BkjSHXP36RMG/
Score1/10 -
-
-
Target
Newtonsoft.Json.xml
-
Size
696KB
-
MD5
d398ffe9fdac6a53a8d8bb26f29bbb3c
-
SHA1
bffceebb85ca40809e8bcf5941571858e0e0cb31
-
SHA256
79ee87d4ede8783461de05b93379d576f6e8575d4ab49359f15897a854b643c4
-
SHA512
7db8aac5ff9b7a202a00d8acebce85df14a7af76b72480921c96b6e01707416596721afa1fa1a9a0563bf528df3436155abc15687b1fee282f30ddcc0ddb9db7
-
SSDEEP
6144:XqqU+k/Rik5aG0rH3jGHdl0/IdHXpgVIeR0R+CRFo9TA82m5Kj+sJjoqoyO185QA:DU1
Score1/10 -
-
-
Target
RocketTitles.exe
-
Size
464KB
-
MD5
f11a1e49b2e53e4ad13c68c049d69c1f
-
SHA1
26fca9e7cdd2deb0a085597eaacc96d5f96e88a8
-
SHA256
81ba1eb0965ae6b7755e79a5d8ad19cb9ece2ba87e5e25cd718fe722c1c277e1
-
SHA512
932b02adc97750357b95d59dfe41e8d414690c0a8437e2c1bcb5ff6bde913639a3145371837ba7a570508e06f1282a12925fe0b10ebf04ee550fb5590ba3977c
-
SSDEEP
12288:MMms0Qz3DUyTfvqCT/4k2QjqGpNBOewDlJ:MfsjDR3qCr4khqGrUtDlJ
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect Umbral payload
-
AgentTesla payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
RocketTitles.exe.config
-
Size
189B
-
MD5
9dbad5517b46f41dbb0d8780b20ab87e
-
SHA1
ef6aef0b1ea5d01b6e088a8bf2f429773c04ba5e
-
SHA256
47e5a0f101af4151d7f13d2d6bfa9b847d5b5e4a98d1f4674b7c015772746cdf
-
SHA512
43825f5c26c54e1fc5bffcce30caad1449a28c0c9a9432e9ce17d255f8bf6057c1a1002d9471e5b654ab1de08fb6eabf96302cdb3e0fb4b63ba0ff186e903be8
Score3/10 -
-
-
Target
RocketTitles.pdb
-
Size
177KB
-
MD5
896ae4b971bff3190dc0019d49476a31
-
SHA1
05434f3ef5d3d0151a90867b3a6f41e1298d30d8
-
SHA256
cc554efe3221c48d662541b582e49f9da84b8f5ac6e10c3eee95955ef20219dc
-
SHA512
9cff0e126c3179c4c5dac3e69190268980bae75addb391e9e967e71feda99d7518c1dd84740ac68ffb56207bdbdcf1399b2307200b74c490c283288f5fa9120f
-
SSDEEP
3072:4RpMYTwqWl1ULDHNl/CIqNIPC0QFzTsS00ryNiaCcIPF0QFzTsS00ryIi:UTwZl1GDHNlqIqNIPC0QFzTsS00ryCcJ
Score3/10 -