agenttesla

General

Target

RNSM00479.7z
Size

21.3MB
Sample

240919-xt4pkavgjb
MD5

b6e444e7c20e89a31a628c02157bd831
SHA1

7498c626f496a9518bb6505f0345ef51d590bfad
SHA256

f601b997c28d8d1a9886fb86b87e695746a48a67dbb164907069e08536099305
SHA512

7ef09c84d09181e1fea2fd50533387131a1e946839e062697f1b21ce06b98cd7c636861d45b9fe465afccf0ac7267ba5af336b2f98170b5bde44030fbe9def43
SSDEEP

393216:uvDGD2prGJ+yxS+zNp/d1Z1OiZZtDrxzVjW0cJNxitYEgg2bzkJ/8qApYBm0HukR:uv6D2pkiiNpLOiDtDrF1zcJHiSsoz4k0

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.clarisse.us
Port:
587
Username:
[email protected]
Password:
d)9TY@Xe9f38fL

Extracted

Family

njrat

Version

im523

Botnet

Smoke

C2

192.168.0.122:1604

Mutex

3ecd3edb0a06926279c0501e832883f9

Attributes

reg_key
3ecd3edb0a06926279c0501e832883f9
splitter
|'|'|

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

218.54.31.165

112.175.88.207

112.175.88.208

Extracted

Path

F:\3NRxISFx1.README.txt

Family

blackmatter

Ransom Note

~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What data stolen? From your network was stolen 1000 GB of data. If you do not contact us we will publish all your data in our blog and will send it to the biggest mass media. Blog post link: http://blackmax7su6mbwtcyo3xwtpfxpm356jjqrs34y4crcytpw7mifuedyd.onion/72oJjilhMD/6d067a8741848166fa2ac1e69472280c >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/X3452I2VDTHM30QX >> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.

URLs

http://blackmax7su6mbwtcyo3xwtpfxpm356jjqrs34y4crcytpw7mifuedyd.onion/72oJjilhMD/6d067a8741848166fa2ac1e69472280c

http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/X3452I2VDTHM30QX

Targets

- Target
  
  RNSM00479.7z
- Size
  
  21.3MB
- MD5
  
  b6e444e7c20e89a31a628c02157bd831
- SHA1
  
  7498c626f496a9518bb6505f0345ef51d590bfad
- SHA256
  
  f601b997c28d8d1a9886fb86b87e695746a48a67dbb164907069e08536099305
- SHA512
  
  7ef09c84d09181e1fea2fd50533387131a1e946839e062697f1b21ce06b98cd7c636861d45b9fe465afccf0ac7267ba5af336b2f98170b5bde44030fbe9def43
- SSDEEP
  
  393216:uvDGD2prGJ+yxS+zNp/d1Z1OiZZtDrxzVjW0cJNxitYEgg2bzkJ/8qApYBm0HukR:uv6D2pkiiNpLOiDtDrF1zcJHiSsoz4k0
Score

10^/10

agenttesla blackmatter gandcrab njrat urelas smoke backdoor discovery evasion execution keylogger persistence ransomware spyware stealer trojan upx
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- BlackMatter Ransomware
  BlackMatter ransomware group claims to be Darkside and REvil succesor.
  ransomware blackmatter
- GandCrab payload
- Gandcrab
  Gandcrab is a Trojan horse that encrypts files on a computer.
  ransomware backdoor gandcrab
- UAC bypass
  evasion trojan
- Urelas
  Urelas is a trojan targeting card games.
  trojan urelas
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- AgentTesla payload
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Uses Tor communications
  Malware can proxy its traffic through Tor for more anonymity.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Drops file in System32 directory
behavioral1