General

  • Target

    3381f3f7860249a3f0df6614e6d2c30aa446fbb45a3aa6e7df4d68603855da37.7z

  • Size

    645KB

  • Sample

    240514-bjc8zada2z

  • MD5

    8032842bf34e51f384bb04e6421963ad

  • SHA1

    7801569f7b5c9ebf614832222540fcdf101b3efe

  • SHA256

    3381f3f7860249a3f0df6614e6d2c30aa446fbb45a3aa6e7df4d68603855da37

  • SHA512

    2dc527f55959a8dffb62f1b8aca43e328d52cd12b036e967ac13e1108f47758529b11c7df814e6372ed201f48ade35ee19822cd1344b56c4fe31c595c796fdad

  • SSDEEP

    12288:JQn7qnxBYJHx7haFf0nvbWXblJ+YmsWjiqf1nk1uX9czA0jNaK/:mn7dJRQFGvkblgsWugkQe3D

Malware Config

Targets

    • Target

      DOCUMENTACIÓN_20240000102835334338185_signed.exe

    • Size

      1.1MB

    • MD5

      63b2c81131687e687e3e7f1c0deb12c8

    • SHA1

      2465347106a89ada6ede41f6ee6f89f3979621a0

    • SHA256

      a609b506672dd6a2da8bd25c0ae4d21688c2ed48c1c205366e6a8c3a323e6671

    • SHA512

      20765196191da86142c415f54f948ab9ec84b2e24d991e81a185d6d5cc3ba77ed6ffa6655e8e927cac73d9ce30b55b1e21565701dbeec91a64fbd9f553cbc3e1

    • SSDEEP

      24576:ZAHnh+eWsN3skA4RV1Hom2KXMmHal2gcNWtf8QL4vd5:gh+ZkldoPK8Yal2pWtf7L4/

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Detect ZGRat V1

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks