General

  • Target

    RNSM00452.7z

  • Size

    154.2MB

  • Sample

    241012-v8zytaxbmr

  • MD5

    a51b6e3f4c11032eb72fa4919ffd361b

  • SHA1

    5dcce1b18af81a7a29b78d42c0a7fa4aa6c76d59

  • SHA256

    f4a36624bc6e4f44a63cea12250bf3e1d076ecd34c6e40db1637dd35b43e4fce

  • SHA512

    082eee741b2cd19ea7a22a709b2f211bf9395867481b50c7c7931be35bca5b220a3e2f6d1398dcf7d3a260b002736b588070d5f3c60ffcb6ac1eed368fe03667

  • SSDEEP

    3145728:da7Y6grXgeK+IDG8BTMzDTKhBK4PnNgsSeSX/+Zp1o7ll5et8lmShOr:gY6okFBKDKP8eSP+ZPWllsuq

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.maiching.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Flo23@ret123

Extracted

Family

njrat

Version

v4.0

Botnet

HacKed

C2

blackhacked.ddns.net:5555

Mutex

Windows

Attributes
  • reg_key

    Windows

  • splitter

    |-F-|

Extracted

Family

njrat

Version

0.7d

Botnet

grand

C2

q8404.ddns.net:401

Mutex

d791e17fd2e3d751bcf913a0d3b90860

Attributes
  • reg_key

    d791e17fd2e3d751bcf913a0d3b90860

  • splitter

    |'|'|

Targets

    • Target

      RNSM00452.7z

    • Size

      154.2MB

    • MD5

      a51b6e3f4c11032eb72fa4919ffd361b

    • SHA1

      5dcce1b18af81a7a29b78d42c0a7fa4aa6c76d59

    • SHA256

      f4a36624bc6e4f44a63cea12250bf3e1d076ecd34c6e40db1637dd35b43e4fce

    • SHA512

      082eee741b2cd19ea7a22a709b2f211bf9395867481b50c7c7931be35bca5b220a3e2f6d1398dcf7d3a260b002736b588070d5f3c60ffcb6ac1eed368fe03667

    • SSDEEP

      3145728:da7Y6grXgeK+IDG8BTMzDTKhBK4PnNgsSeSX/+Zp1o7ll5et8lmShOr:gY6okFBKDKP8eSP+ZPWllsuq

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Chaos

      Ransomware family first seen in June 2021.

    • Chaos Ransomware

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • AgentTesla payload

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Modifies Windows Firewall

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks