agenttesla

Sharing

Copy URL

Twitter E-mail

General

Target

RNSM00369.7z
Size

12.6MB
Sample

241107-tfwj9avke1
MD5

98cb8facb4fa2c24070364e766582cf5
SHA1

4ed374a82f019b31ca90b109d4e991868185d8d7
SHA256

6d33c5deccf753dfa4d754a99bda78bcf23a3e12760bea44925a555ca1aac507
SHA512

ff42a1be026e9c947cf9ae5ca41d0d53d9afb5117d9976f110d5a0767a1fb159437023ddc1e7c57412b38ca90d4130c21059876692eb30b07ed87931c385b4a7
SSDEEP

393216:AQGtqFA7phdikplEZsZ6nIj99IH6cvkV1o:7gpp/5EZpiTcMk

Malware Config

Extracted

Family

gozi

Extracted

Family

njrat

Version

0.6.4

Botnet

HacKed

shadowpro87.ddns.net:1177

Mutex

9165950e91e4e361fa21d31cf1cfc39b

Attributes

reg_key
9165950e91e4e361fa21d31cf1cfc39b
splitter
|'|'|

Extracted

Path

F:\$RECYCLE.BIN\S-1-5-21-1045960512-3948844814-3059691613-1000\KRAB-DECRYPT.txt

Ransom Note

---= GANDCRAB V4 =--- Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/a3e3e3c828f8a278 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAALngCEMKEmnahwpQrH9ksJOf3D9XQj8jDWiBhhs3/bFW9XGDYSL0Xj6AWVMWheYz2Wc00saVSJhuTnXZRXat3LzdWG/PggPEheh94jmJs7mNVOlpyvo5Xsk5XuufMXNeeuWt1nQOdd/uj6O1DSc/+4VH/Kic1Ox7POAdhmBM94yiitqTdoK7Ymxi1Xcqb1kidq4ZBd4OsI7VPddRgD61evjFFH/Wmp5ZytNd+dM3Tezhtg4dJ6ThZbIUgy1WjspXZ6pUxoRE+eNyjCmVTCpIJJpjS5WgoiuLwc0TORcIpnRYDoEtGGWLonOQnOkAgvNbPabXo878d5bpzSHKK8P1i6QSFrAjqAxx43PFF4nDGOV/Iye3BvSeKs1W9fM0tnP8PnvPNNdOogFhlz0dTC43Wq08XsB3lgRHYiBzr2M0Ao8pfqatMpkkZVVHtDFpOn+hsPRrqjX8Lf2l6TJnvxsVt5ZEjvRQFRQ3oPn63VL8aqhNAS82fVmCQ6IQIYlfnIDcmixFs+RD9jYmrGvj6VwRYiA0wbW+cf6NCYuO19EbBXSORowUc5zQvtbnMt5H7Ghmg/kA6jNcmCXVYCq0Nh8aRsKNVEUZC0dXrff48ywf7J4898b5uzP8iChI4BGTJTFOat5wM0tOqnuLKCyhGzaI+iO12pQdBZ7YHPLbgY+b3ILFBmlv+DshOVdL5K5eNye2Tu0uWM/0YNho4pnYAi493VgYdaq3l65mMCCeNfHMpdQ1h6LcFblAE0xgoDzRava6P04cVgHMErzIUxcKvl6okTIXGIjxqaZQt3+FBAPEdQf013QGtU8W3TcYMCbWYTLUU+mi++kukCqX0xAyfTn+JLKn55RZ7rDe7/AkrmCuEu+bhEXgbYuFuEI2ueEu/U5ADI5qiX+hN1d7072EgF7jf6FOrFze6VxW7ahPHojwmbsJc9uY+PTu3DmRwcy8O9XFE+GnHkgrvxCyDKHjxCLFM4kgLnZbs2CSG6HWtCXFBmsuZIbtzOSRRUQYiDPnLj8264+QT1zhbVTxH/Ffk7MTYgJ1TUiiw8u/CQsVHBfNAA3PFpi8cgXtmdamqtfac9FV/tgrrcLcxhXqc64iIWOMpkjM5idAhbgylWchlwjLJz8tgkMPp0yc9kA4fA0uJgIN3kUUdTL4uPoJLIobq2E49A1UGznzqhSmB7JFUp4Y+Kukiucq1w4aysezMuCRlpgqFIm24pbjKadMlxXmfDlVjfQ8V7s/Kt2TSuPYiId0lH7rFvpB4QU2H3FfFhqIZ1QyRv8mfd09+oOp5uMKEb9S6hz++mVK5RN1Xvp3+X+o8F2uEHjd45zmyBEteztTywTn1YZv7P5nC6AvVO9i6aAzuFl+Gx8w5QTwYWZ2D4w+mAvESwNDBAule52dP0Dbtj63gmi5wB5lFFKAAuIVPDrBQFBfEfU+CVGQklHUPcYNM3uYXA9Lfa26cBMuLGp6iM5iggC8JiL5V4cHlBFniY4Y6pgN2PvF/qWJOIx8VtU+B//eDlZVENMPAL/lAuQALgIL/0KOvZtwQK1RwmGtUklNF/ymtxGS3Lq56/kx9TqjcEVsrwoGTUKgdipLf9OzizM9KO+YRM3bTCaE9JoduLGloqLL/6uHAcic56pUCwQ4/6xgEuQUlsfKtThsGWrdKsvp3WB3pyNkwToMm97/Zxqd4OdzXoNwRsalilpqNnpf3O1vVk6uirLP3snnKx6Te55GMSAzlPwXTgm+LfEEJ4OsMgU5bVHAEJkFvNPF+OI2mhsns9daHnPFDfSUi++tlFNJLs4mTrsecZOXT9IsbX1vlYDJyS4MYKDeLkttoA0zQ+9e2MgkdIMlzcxmBSZWm777i5R04btuuRI34BGAyK4b9jIsT9jIZzQ/+v7/KaHL8BUkRYJmSnYZsn2HGu7SZmwVdtBRnVnsZl2i1B3trzdKOvYpBi9FelXLw/Esl3uuLsmRSsm8Wi/m4ngr2X8kBJEp8w+QPKYnzHmg7LK8o26ZntCT+eBiKx2ve7g+5cjDdnxv3I3qMdkRC15vi3S52LXZ3m4z5FkPbY4Y55Id1H/l8wBrAwUzOzJGyE2PjTUXuNeBf0zyNT751YGPOc+1sVr+sCE3ylq1qypupUtJPW8UUKsqH8EjDyhcQ7bCj69xoMd1tElXGyRICQjKRzb40cx6CWGXw+ahcBpTLRWU8hmMc6B6tevENjHV/0VkVp+YhlZoIWWnZPwbpO/R8GbcdhH3bmr7118= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZQToJRs3YT7nZWqbfTTGSHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wNmoQoAHZIP7k/TfrG1tVzlDb3jcZAB3gql9dnWN0lCD4xdg7bDNQrvH1xSi3FCw+6kfktKtizqdynr7r154JiurEmkUXBseKn/zM2EutzGthYP1qLBiXtpRGAEdEb8CcQ4t64M6b3Y5NyPYz32XaispQRTRkqF1PXJPcJ15EHwNAoARPLnK8+Au5ZALyfhGEwg6hrKQ3vxBFKwg70Zi3pDBFM3vLLM+av1wEZNXQTRlOKYDmn1lvgAn90mSDf7SyGQSZnn7Ivlsuw7HIKVYbpfzf2fBccdMBnP2lNhH9QQ3LC36ZFEuPtLEigBZ9MNJGhHpcOfb/IRdAPsok9V+butLOnzJ/9bHYIh8sz7exIRettGP+Pbn3W/eJIXs9ebdQm9EZhJFLe2qhgw2mJLRMzwAtbfjn5E2ENiW4EkrJfTw== ---END PC DATA---

URLs

http://gandcrabmfe6mnef.onion/a3e3e3c828f8a278

Extracted

Path

C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\HOW TO RECOVER ENCRYPTED FILES.TXT

Ransom Note

---= ^_^ Your files are now encrypted!! ^_^ =--- Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique private decryptor. Only we can give you this decryptor and only we can recover your files. IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. Now you should send us email with your key identifier and version. This email will be as confirmation you are ready to pay for decryption key. You have to pay for decryption in Bitcoins or Dash. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. If the payment isn't made with in 5 days the cost of decrypting files will be doubled We can give you free decryption as guarantee! Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 100kb (non archived), and files should not contain valuable information (databases, backups, large excel sheets, etc.). You can contact us in these email address: ----- [email protected] ---or--- [email protected] ------ If you don't get a reply or if the email dies, then contact us using Bitmessage. Download it form here: https://bitmessage.org/wiki/Main_Page Run it, click New Identity and then send us a message at BM-2cSzfawmdGKeT8ny99qtMeiGb27TcVBJXz I don't have Bitcoin (BTC) or DASH (DSH). How can I make the payment? * The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price: https://localbitcoins.com/buy_bitcoins * Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins * https://buy.bitcoin.com/ * https://coinmonitor.io/en/ * https://coinmama.com/ * https://changelly.com/ * https://payeer.com/ * https://cex.io/ Version: 1.1 Your Key Indentifier: +4IAAAAAAACDgsVTHZLZAYA4DENXuhpazwVwuA065FkYNyZphRqxOuu0ZRKyirttqv+S++zKEimgKfeMMnoZopiXiy87+x0W=Oih hJgYGtwlberer7OB7Xh3fAVECntnUGKw+n+F5Y8yJIxXlSHUFdVT07jtm6tmVHi1aCz5dwM4KHRXPYmg2VzMtNtOIOr5kl+sSN01 SfAvK11hpvKvoDLjmIAU=8hnawkWywL=dGJIa3IiltLpGVet0jn9HvAVatG1+qrnOPrGyz0WeHeNim4JwaBG1SlRaFSQxW447Jvi aSPjCGxenLkvCLcXrZfVuu2rmRXc0RXJUwTxc=5yRUGUUjRz4PALpDrcJbrb+CwUnoyyy4PK1mx0Jhr26ttt7WMSIEwKXAbg6RIW VsibfDhyBMdMgEYp1Ksnegs13Q

Emails

[email protected]

URLs

https://bitmessage.org/wiki/Main_Page

https://buy.bitcoin.com/

https://coinmonitor.io/en/

https://coinmama.com/

https://changelly.com/

https://payeer.com/

https://cex.io/

Targets

- Target
  
  RNSM00369.7z
- Size
  
  12.6MB
- MD5
  
  98cb8facb4fa2c24070364e766582cf5
- SHA1
  
  4ed374a82f019b31ca90b109d4e991868185d8d7
- SHA256
  
  6d33c5deccf753dfa4d754a99bda78bcf23a3e12760bea44925a555ca1aac507
- SHA512
  
  ff42a1be026e9c947cf9ae5ca41d0d53d9afb5117d9976f110d5a0767a1fb159437023ddc1e7c57412b38ca90d4130c21059876692eb30b07ed87931c385b4a7
- SSDEEP
  
  393216:AQGtqFA7phdikplEZsZ6nIj99IH6cvkV1o:7gpp/5EZpiTcMk
Score

10^/10

agenttesla dharma gandcrab gozi njrat ramnit remcos hacked aspackv2 backdoor banker collection credential_access defense_evasion discovery evasion execution impact isfb keylogger persistence privilege_escalation ransomware rat spyware stealer trojan upx worm
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Agenttesla family
  agenttesla
- Dharma
  Dharma is a ransomware that uses security software installation to hide malicious activities.
  ransomware dharma
- Dharma family
  dharma
- GandCrab payload
- Gandcrab
  Gandcrab is a Trojan horse that encrypts files on a computer.
  ransomware backdoor gandcrab
- Gandcrab family
  gandcrab
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Gozi family
  gozi
- Modifies WinLogon for persistence
  persistence
- Modifies firewall policy service
  evasion
- Modifies security service
  evasion
- Njrat family
  njrat
- Ramnit
  Ramnit is a versatile family that holds viruses, worms, and Trojans.
  trojan spyware stealer worm banker ramnit
- Ramnit family
  ramnit
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- AgentTesla payload
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (526) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Downloads MZ/PE file
- Modifies Windows Firewall
  evasion
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Uses the VBS compiler for execution
- Windows security modification
  evasion trojan
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1