Overview

overview

10

Static

static

1

URLScan

urlscan

1

https://bazaar.abuse...

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    https://bazaar.abuse.ch/download/9389de75134803e64539e04f6b4db1081754b829fbb3ae0929bf1040fefc9258/

  • Sample

    240529-nc8shscf7z

Score
10/10
agentteslablackmoonquasaroffice04bankerexecutionkeyloggerpersistenceransomwarespywarestealertrojanupx

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot7079001145:AAFUmbtnKJ_-Y94Vi3Jf0SpEGlkYUg-JXhk/

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

31.177.108.29:4782

Mutex

553dcf2c-4c70-4c0c-935a-2e078a46f03e

Attributes
  • encryption_key

    DAFF70D249B4EC619D5A052FDD3418E3549FF268

  • install_name

    KR6nDu9fLhop1bFe.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Defender.Process

  • subdirectory

    SubDir

Targets

    • Target

      https://bazaar.abuse.ch/download/9389de75134803e64539e04f6b4db1081754b829fbb3ae0929bf1040fefc9258/

    Score
    10/10
    agentteslablackmoonquasaroffice04bankerexecutionkeyloggerpersistenceransomwarespywarestealertrojanupx

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Blackmoon, KrBanker

      Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

      trojanbankerblackmoon

    • Detect Blackmoon payload

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Renames multiple (394) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks