General

  • Target

    RNSM00396.7z

  • Size

    29.6MB

  • Sample

    241031-zxaa8sterp

  • MD5

    852631ead84c70748b7ed10389174439

  • SHA1

    f7442d849e8142853c651433bdc53953e541d49a

  • SHA256

    23ca1b521834978f16a892ba84be80cbd144fed4a066b844f4ecef108372a715

  • SHA512

    ae5296c514d0e76fda7eaf176dc3bd9126aedde59faecc888ccd634dcc6c50c9a2664ee3c34d0f43e08be74ed8d2443615cdd7a038093003d058d02fe9c6fbda

  • SSDEEP

    786432:WKL81VrqfIp0ufCtSartVhZtlXYm4GpKh8aOL9a:Wq81V7facafhZ37xKh8zL4

Malware Config

Extracted

Family

agenttesla

C2

http://potentpharm.guru/siu/inc/4caa3e0bebb96f.php

Targets

    • Target

      RNSM00396.7z

    • Size

      29.6MB

    • MD5

      852631ead84c70748b7ed10389174439

    • SHA1

      f7442d849e8142853c651433bdc53953e541d49a

    • SHA256

      23ca1b521834978f16a892ba84be80cbd144fed4a066b844f4ecef108372a715

    • SHA512

      ae5296c514d0e76fda7eaf176dc3bd9126aedde59faecc888ccd634dcc6c50c9a2664ee3c34d0f43e08be74ed8d2443615cdd7a038093003d058d02fe9c6fbda

    • SSDEEP

      786432:WKL81VrqfIp0ufCtSartVhZtlXYm4GpKh8aOL9a:Wq81V7facafhZ37xKh8zL4

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Agenttesla family

    • Blackmoon family

    • Blackmoon, KrBanker

      Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    • Detect Blackmoon payload

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba family

    • AgentTesla payload

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Renames multiple (58) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Modifies Windows Firewall

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops desktop.ini file(s)

    • Modifies boot configuration data using bcdedit

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks