General
-
Target
friends.exp
-
Size
71B
-
Sample
240612-wmddcsxhqq
-
MD5
02baa4ea7d85be23014a102f094d6816
-
SHA1
199f995c6228eb705656f3029990aaf0bf12a588
-
SHA256
bae70ddcd78c54bc83e5bb64aabc142a23ec4b9f2e665b2ef86b95ad77b35b03
-
SHA512
ff5bc8ebeb0061e9bac2c4b09f925ef012434ca1ee94ee17bfd1a2ce3edd58cbf87d52617b4929e67d6bd25e1f9ac30da9f507c10cc0c8a88023d37e100407b8
Static task
static1
Behavioral task
behavioral1
Sample
friends.exp
Resource
win10v2004-20240611-en
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1250361429333250119/Ue0qgEfIsngTl30ZNCtwzPjGafoMAt1Nkvz6HdtQyp6-br8N7e5NViVMa77MrDft7Ulq
Targets
-
-
Target
friends.exp
-
Size
71B
-
MD5
02baa4ea7d85be23014a102f094d6816
-
SHA1
199f995c6228eb705656f3029990aaf0bf12a588
-
SHA256
bae70ddcd78c54bc83e5bb64aabc142a23ec4b9f2e665b2ef86b95ad77b35b03
-
SHA512
ff5bc8ebeb0061e9bac2c4b09f925ef012434ca1ee94ee17bfd1a2ce3edd58cbf87d52617b4929e67d6bd25e1f9ac30da9f507c10cc0c8a88023d37e100407b8
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect Umbral payload
-
Modifies WinLogon for persistence
-
AgentTesla payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Modifies AppInit DLL entries
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Scheduled Task/Job
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
3