General
-
Target
https://samples.vx-underground.org/Samples/Bazaar%20Collection/Downloadable%20Releases/Bazaar.2020.04.7z
-
Sample
240519-pya9tahf8z
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://samples.vx-underground.org/Samples/Bazaar%20Collection/Downloadable%20Releases/Bazaar.2020.04.7z
Resource
win10v2004-20240226-en
Malware Config
Extracted
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
ikechukwu112
Extracted
nanocore
1.2.2.0
wae54.duckdns.org:40000
wave54.duckdns.org:40000
dc04a2f6-b691-4363-9339-ed427ef95e06
-
activate_away_mode
true
-
backup_connection_host
wave54.duckdns.org
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2019-12-29T13:16:21.446284736Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
40000
-
default_group
wave11
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
dc04a2f6-b691-4363-9339-ed427ef95e06
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
wae54.duckdns.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
ikechukwu112
Extracted
qakbot
324.75
spx91
1586271924
95.77.223.148:443
68.14.210.246:22
151.205.102.42:443
80.11.10.151:990
24.32.119.146:443
173.69.58.179:443
78.96.245.58:443
172.78.87.180:443
173.3.106.172:2222
207.144.193.210:443
47.134.5.231:443
72.142.106.198:465
108.56.213.203:443
172.251.50.199:443
74.109.200.208:443
108.227.161.27:995
98.13.0.128:443
79.113.219.121:443
84.247.55.190:443
80.14.209.42:2222
104.36.135.227:443
104.174.71.153:2222
96.232.203.15:443
173.79.220.156:443
174.54.24.110:995
50.244.112.10:443
76.23.204.29:443
69.206.6.71:2222
81.106.46.63:443
50.91.171.137:443
75.137.60.81:443
98.116.119.123:443
189.140.74.166:443
24.183.39.93:443
71.197.126.250:443
24.26.1.14:2222
24.27.82.216:2222
100.38.164.182:443
85.204.189.105:443
47.24.47.218:443
50.108.212.180:443
72.228.3.116:443
188.27.17.115:443
68.116.193.239:443
184.167.2.251:2222
67.85.185.6:443
72.36.11.22:443
148.75.231.53:443
216.152.7.12:443
173.62.161.126:443
172.95.42.35:443
173.245.152.231:443
160.2.198.181:443
79.115.86.251:443
75.110.93.212:443
12.162.183.16:443
98.116.62.242:443
92.114.127.71:443
96.37.113.36:443
83.25.10.201:2222
71.77.231.251:443
71.11.209.101:443
79.117.209.13:21
70.166.158.118:443
174.126.230.25:443
24.55.152.50:995
72.36.59.46:2222
73.163.242.114:443
184.13.73.135:443
70.95.94.91:2078
208.126.142.17:443
173.173.1.164:443
74.102.83.89:443
72.209.191.27:443
181.197.195.138:995
98.199.70.195:443
5.14.187.133:443
120.147.65.97:2222
213.31.203.38:2222
89.43.136.239:443
188.25.237.208:443
94.53.92.42:443
67.8.103.21:443
93.118.88.61:443
79.115.211.4:2222
76.30.66.244:443
97.127.144.203:2222
97.81.255.189:443
206.255.163.120:443
66.222.88.126:995
24.90.160.91:443
95.76.27.89:443
209.182.121.133:2222
86.126.232.178:443
96.35.170.82:2222
5.182.39.156:443
67.131.59.17:443
95.77.144.238:443
67.250.184.157:443
68.225.250.136:443
24.110.96.149:443
71.187.170.235:443
77.159.149.74:443
188.173.185.139:443
68.98.142.248:443
100.1.239.189:443
74.135.85.117:443
75.110.250.89:443
24.184.5.251:2222
172.87.134.226:443
86.127.147.205:443
201.209.1.4:2078
71.217.112.41:2222
173.22.120.11:2222
79.113.218.134:443
47.153.115.154:995
70.57.15.187:993
72.190.124.29:443
173.3.132.17:995
23.24.115.181:443
24.229.245.124:995
47.205.231.60:443
72.142.106.198:995
75.111.145.5:443
216.201.162.158:443
98.197.254.40:443
85.7.22.186:2222
24.46.40.189:2222
24.202.42.48:2222
108.54.103.234:443
68.116.183.68:443
70.74.159.126:2222
79.114.194.106:443
69.92.54.95:995
98.199.150.30:443
98.219.77.197:443
69.254.141.249:443
70.124.29.226:443
79.78.131.124:443
74.33.70.30:443
71.182.142.63:443
89.32.154.226:443
72.38.44.119:995
49.191.9.180:995
79.115.4.88:443
47.153.115.154:443
108.27.217.44:443
71.77.252.14:2222
46.153.111.112:995
Targets
-
-
Target
https://samples.vx-underground.org/Samples/Bazaar%20Collection/Downloadable%20Releases/Bazaar.2020.04.7z
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Dave packer
Detects executable using a packer named 'Dave' by the community, based on a string at the end.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Scripting
1