General
-
Target
RNSM00452.7z
-
Size
154.2MB
-
Sample
241012-v8zytaxbmr
-
MD5
a51b6e3f4c11032eb72fa4919ffd361b
-
SHA1
5dcce1b18af81a7a29b78d42c0a7fa4aa6c76d59
-
SHA256
f4a36624bc6e4f44a63cea12250bf3e1d076ecd34c6e40db1637dd35b43e4fce
-
SHA512
082eee741b2cd19ea7a22a709b2f211bf9395867481b50c7c7931be35bca5b220a3e2f6d1398dcf7d3a260b002736b588070d5f3c60ffcb6ac1eed368fe03667
-
SSDEEP
3145728:da7Y6grXgeK+IDG8BTMzDTKhBK4PnNgsSeSX/+Zp1o7ll5et8lmShOr:gY6okFBKDKP8eSP+ZPWllsuq
Static task
static1
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.maiching.com - Port:
587 - Username:
[email protected] - Password:
Flo23@ret123
Extracted
njrat
v4.0
HacKed
blackhacked.ddns.net:5555
Windows
-
reg_key
Windows
-
splitter
|-F-|
Extracted
njrat
0.7d
grand
q8404.ddns.net:401
d791e17fd2e3d751bcf913a0d3b90860
-
reg_key
d791e17fd2e3d751bcf913a0d3b90860
-
splitter
|'|'|
Targets
-
-
Target
RNSM00452.7z
-
Size
154.2MB
-
MD5
a51b6e3f4c11032eb72fa4919ffd361b
-
SHA1
5dcce1b18af81a7a29b78d42c0a7fa4aa6c76d59
-
SHA256
f4a36624bc6e4f44a63cea12250bf3e1d076ecd34c6e40db1637dd35b43e4fce
-
SHA512
082eee741b2cd19ea7a22a709b2f211bf9395867481b50c7c7931be35bca5b220a3e2f6d1398dcf7d3a260b002736b588070d5f3c60ffcb6ac1eed368fe03667
-
SSDEEP
3145728:da7Y6grXgeK+IDG8BTMzDTKhBK4PnNgsSeSX/+Zp1o7ll5et8lmShOr:gY6okFBKDKP8eSP+ZPWllsuq
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Chaos Ransomware
-
AgentTesla payload
-
Detected Nirsoft tools
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1