agenttesla

Sharing

Copy URL

Twitter E-mail

General

Target

RNSM00387.7z
Size

42.2MB
Sample

241103-1qvt2awcrn
MD5

01268f32a4bf349d02e0d005e603b761
SHA1

a20b8740213729b6142af92e9711c83826b60fa1
SHA256

7ce5d0948155184bfe7004cd4a9aea722d60cc7e0ef959d054ce8e0eaded1d4d
SHA512

86b649e071887de2cdaa32e4315e42b13c2e2aeaa66f7a380104ad9c09659d237d0025baf63206e77c42efcdcef4bddae7793a2a7c7b6bdc62f6706d9aab1f6a
SSDEEP

786432:yeax6cznmB1icFje8X991hWeH/EmYOWViM13wjXz7b2Bs:ZanPIHLcmWcMhkbks

Malware Config

Extracted

Path

C:\Users\Admin\Searches\6FD34B-Readme.txt

Family

netwalker

Ransom Note

Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .6fd34b -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_6fd34b: uqsapSmC5SlVMZ+k7J7Y6N99sAisODLfe0iUV8ifUGPzEHBCrD T2d/hZe9125+SzuHz1EgXXaz2Pv7w7BEsDN1PM9VgNUi5mlCsh rTkPMYty9mSFvlnrZt2UXQ2lJ9djq8s2/PvCd6H6JKP55jmi0c gVdiumjfMhacSZCAur1R+aHx513VGp7sAS1KYGVlsS7AN35q6O ybtWsdTAC8nwKqMTRO7kfQknbJjbvkwyo0ZSKTz+Tnr4Sb9P3X 3uzgBD40cfo4XerIdW0uCZILq2G1ceyEtyA3i/Rg==}

URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Extracted

Family

azorult

http://54.37.78.107/index.php

Extracted

Path

C:\Program Files\7-Zip\readme-warning.txt

Family

makop

Ransom Note

::: Greetings ::: Little FAQ: .1. Q: Whats Happen? A: Your files have been encrypted and now have the "makop" extension. The file structure was not damaged, we did everything possible so that this could not happen. .2. Q: How to recover files? A: If you wish to decrypt your files you will need to pay in bitcoins. .3. Q: What about guarantees? A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee. .4. Q: How to contact with you? A: You can write us to our mailbox: [email protected] or [email protected] .5. Q: How will the decryption process proceed after payment? A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files. .6. Q: If I don�t want to pay bad people like you? A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money. :::BEWARE::: DON'T try to change encrypted files by yourself! If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files! Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.

Emails

[email protected]

Targets

- Target
  
  RNSM00387.7z
- Size
  
  42.2MB
- MD5
  
  01268f32a4bf349d02e0d005e603b761
- SHA1
  
  a20b8740213729b6142af92e9711c83826b60fa1
- SHA256
  
  7ce5d0948155184bfe7004cd4a9aea722d60cc7e0ef959d054ce8e0eaded1d4d
- SHA512
  
  86b649e071887de2cdaa32e4315e42b13c2e2aeaa66f7a380104ad9c09659d237d0025baf63206e77c42efcdcef4bddae7793a2a7c7b6bdc62f6706d9aab1f6a
- SSDEEP
  
  786432:yeax6cznmB1icFje8X991hWeH/EmYOWViM13wjXz7b2Bs:ZanPIHLcmWcMhkbks
Score

10^/10

agenttesla avaddon azorult makop netwalker snatch defense_evasion discovery evasion execution impact infostealer keylogger persistence ransomware spyware stealer themida trojan upx
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Agenttesla family
  agenttesla
- Avaddon
  Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
  ransomware avaddon
- Avaddon family
  avaddon
- Avaddon payload
- Azorult
  An information stealer that was first discovered in 2016, targeting browsing history and passwords.
  trojan infostealer azorult
- Azorult family
  azorult
- Detected Netwalker Ransomware
  Detected unpacked Netwalker executable.
- Detecting the common Go functions and variables names used by Snatch ransomware
- Makop
  Ransomware family discovered by @VK_Intel in early 2020.
  ransomware makop
- Makop family
  makop
- Netwalker Ransomware
  Ransomware family with multiple versions. Also known as MailTo.
  ransomware netwalker
- Netwalker family
  netwalker
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Snatch Ransomware
  Ransomware family generally distributed through RDP bruteforce attacks.
  ransomware snatch
- Snatch family
  snatch
- UAC bypass
  evasion trojan
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Disables Task Manager via registry modification
  evasion
- Modifies Windows Firewall
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1