General
-
Target
RNSM00388.7z
-
Size
6.1MB
-
Sample
241103-1npv1axrcl
-
MD5
5c24572784edd8136e2400edd909d57e
-
SHA1
3b1ebada7ce5ca40be7dfc260dda8658cd72a283
-
SHA256
4b7646416a706123783e3dae3173fdf81b46d800b4e7cc273aee598d403ca7c9
-
SHA512
abde7869c364864ed33b747f64faca83405ff1a414a2526bebb77fa9b77efbaf19fd9045811fff00b2f950d9c72447a8f066aec558cc11aa28c904b47dc3be7c
-
SSDEEP
98304:MG29y5gDpqmSjqdv5p5iBliJClA9DSeOwOQMUfJATay6YMwqxcRTKOBL5K22t+jr:MGVLiPpABlTlUa7VYSTcYmcRTBOxp6
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
[email protected] - Password:
22june1969
Extracted
crimsonrat
209.127.16.126
Extracted
C:\Program Files\11671-Readme.txt
netwalker
Extracted
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\D874D8-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Extracted
remcos
2.3.0 Pro
USG
ddns.njegidi888.xyz:4219
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
3
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
true
-
keylog_file
logged.dat
-
keylog_flag
false
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
ttiiurrbebebebebebeeeeet-I3YJ6F
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
wikipedia;solitaire;
Targets
-
-
Target
RNSM00388.7z
-
Size
6.1MB
-
MD5
5c24572784edd8136e2400edd909d57e
-
SHA1
3b1ebada7ce5ca40be7dfc260dda8658cd72a283
-
SHA256
4b7646416a706123783e3dae3173fdf81b46d800b4e7cc273aee598d403ca7c9
-
SHA512
abde7869c364864ed33b747f64faca83405ff1a414a2526bebb77fa9b77efbaf19fd9045811fff00b2f950d9c72447a8f066aec558cc11aa28c904b47dc3be7c
-
SSDEEP
98304:MG29y5gDpqmSjqdv5p5iBliJClA9DSeOwOQMUfJATay6YMwqxcRTKOBL5K22t+jr:MGVLiPpABlTlUa7VYSTcYmcRTBOxp6
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
-
Avaddon family
-
Avaddon payload
-
CrimsonRAT main payload
-
CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
-
Crimsonrat family
-
Detected Netwalker Ransomware
Detected unpacked Netwalker executable.
-
GandCrab payload
-
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Gandcrab family
-
Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
-
Netwalker family
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Remcos family
-
AgentTesla payload
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Uses the VBS compiler for execution
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-