Overview
overview
10Static
static
10#Order#.exe
windows7-x64
10#Order#.exe
windows10-2004-x64
10#QTN-20-97...7..exe
windows7-x64
10#QTN-20-97...7..exe
windows10-2004-x64
10$70k MT 30JAN.exe
windows7-x64
10$70k MT 30JAN.exe
windows10-2004-x64
1003-02-20.exe
windows7-x64
1003-02-20.exe
windows10-2004-x64
1020191107145436608.exe
windows7-x64
1020191107145436608.exe
windows10-2004-x64
102019111211...fo.exe
windows7-x64
102019111211...fo.exe
windows10-2004-x64
102020 ORDERS.exe
windows7-x64
102020 ORDERS.exe
windows10-2004-x64
10624880_ZOC...PT.exe
windows7-x64
10624880_ZOC...PT.exe
windows10-2004-x64
10ADMIN DEPT...NT.exe
windows7-x64
10ADMIN DEPT...NT.exe
windows10-2004-x64
10AWB_TR0089.exe
windows7-x64
3AWB_TR0089.exe
windows10-2004-x64
3Avis de virement.exe
windows7-x64
10Avis de virement.exe
windows10-2004-x64
10BL-INVOICE...CS.exe
windows7-x64
10BL-INVOICE...CS.exe
windows10-2004-x64
10BMS PO 4820.exe
windows7-x64
10BMS PO 4820.exe
windows10-2004-x64
10BSO_191120...df.exe
windows7-x64
10BSO_191120...df.exe
windows10-2004-x64
10Bank Information.exe
windows7-x64
10Bank Information.exe
windows10-2004-x64
10C.V - Expe...es.exe
windows7-x64
3C.V - Expe...es.exe
windows10-2004-x64
3General
-
Target
JaffaCakes118_b3cc4e1f09aa77a31e7071f2a505bfe5f13f9ec3cb73997b0d4a5ac36fc710fa
-
Size
39.4MB
-
Sample
241224-rht34azjgl
-
MD5
740d3f8ce89c4a34cddfb12c0d1014b3
-
SHA1
4742325ed1711e75a959b2697dd8718dcde18fb4
-
SHA256
b3cc4e1f09aa77a31e7071f2a505bfe5f13f9ec3cb73997b0d4a5ac36fc710fa
-
SHA512
ad7ad5210698554000f49fc58b904d02e1932a0e281ff31b6b9c68e76aaa25113747da034502fd8151a61e11ae134d05c7b73a4ff61267e66a1ad8a47f4d9cf6
-
SSDEEP
786432:q/328rvIhfpHH5mszuEu0+t6I4aBDNvonFk2jZAofnsPUxF:cG8iULEuL6IxronHioffxF
Behavioral task
behavioral1
Sample
#Order#.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
#Order#.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
#QTN-20-971-JA04Q7..exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
#QTN-20-971-JA04Q7..exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
$70k MT 30JAN.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
$70k MT 30JAN.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
03-02-20.exe
Resource
win7-20240708-en
Behavioral task
behavioral8
Sample
03-02-20.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
20191107145436608.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
20191107145436608.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
2019111211292579875_BankInfo.exe
Resource
win7-20241010-en
Behavioral task
behavioral12
Sample
2019111211292579875_BankInfo.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
2020 ORDERS.exe
Resource
win7-20240708-en
Behavioral task
behavioral14
Sample
2020 ORDERS.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
624880_ZOC10280374040_IFP_PT.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
624880_ZOC10280374040_IFP_PT.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
ADMIN DEPT. INVOICES 482 SGT STATEMENT.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
ADMIN DEPT. INVOICES 482 SGT STATEMENT.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
AWB_TR0089.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
AWB_TR0089.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
Avis de virement.exe
Resource
win7-20241010-en
Behavioral task
behavioral22
Sample
Avis de virement.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
BL-INVOICE SHIPPING DOCS.exe
Resource
win7-20241010-en
Behavioral task
behavioral24
Sample
BL-INVOICE SHIPPING DOCS.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
BMS PO 4820.exe
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
BMS PO 4820.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
BSO_191120201_430001882_SHpdf.exe
Resource
win7-20240708-en
Behavioral task
behavioral28
Sample
BSO_191120201_430001882_SHpdf.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
Bank Information.exe
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
Bank Information.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
C.V - Experience Certificates.exe
Resource
win7-20240903-en
Behavioral task
behavioral32
Sample
C.V - Experience Certificates.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
guloader
https://cranetechllc.ml/omega22.bin
https://drive.google.com/uc?export=download&id=1XjUHIgW5T6HcodhQNf4poqrFbSYVe2Qd
http://careint.pw/docs/pdf/arab_encrypted_6CFC030.bin
https://drive.google.com/uc?export=download&id=1VToYtsw5rlxVp08dM1TZ1rGrnrsQ10fg
https://drive.google.com/uc?export=download&id=10FzFkYCZotTZUmUFkblyfcqV3Pl8H5cS
https://drive.google.com/uc?export=download&id=1q-1xTD9weiWyiJIbO51ubhF470YCiWrW
https://drive.google.com/uc?export=download&id=1qCk1c-sywYiSOatB4J7OY2cPPHJ88OmZ
https://serviciotecnicoenperu.com/UGOPOUNDS%20FILE%20LOKI_encrypted_982F15F.bin
Extracted
agenttesla
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
[email protected] - Password:
nVGdKgL2
Extracted
warzonerat
79.134.225.29:1960
Targets
-
-
Target
#Order#.exe
-
Size
1.5MB
-
MD5
1155e9051add5caf1f9ddb9800bd8814
-
SHA1
8fc58515afa1f27ca5ca6ae3d9cdd4828475f899
-
SHA256
2145b4c5abd6f3c3ab4daa594069968619841f90e971b2f4d910f8b5f964389f
-
SHA512
76d87144c1db1e17dc970e2745560fc2b19376f066cd82a4421a1a23c17163fc4182944a65aab55473a6d2262e8e9708bc9aafeffa04a284f99fa6e32f41ff44
-
SSDEEP
24576:pu6J33O0c+JY5UZ+XC0kGso6Fa1Ir7BiazQsNAcL4pIhjbu/o57HtWY:Lu0c++OCvkGs9Fa1IIPaLiIhuqcY
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
AgentTesla payload
-
Drops startup file
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-
-
-
Target
#QTN-20-971-JA04Q7..exe
-
Size
76KB
-
MD5
be4aafc0bb1b1108fd43c52d23f7bc82
-
SHA1
058ef7378000cd15d93e3e3dabec76a74e50d1f7
-
SHA256
84a52d8714b6e93f7361b6884e2c292d2768d583e2f01cb3eda25d7bda701eff
-
SHA512
20a649b338c36d2baf586efddfb9c416818bec38de25c4f8e7f567fecaa6211cedbcd2e045be99ede6e3e2dd188115e7f58722519ea74478ab453a69e1beb647
-
SSDEEP
1536:E4BUVEpEdE+oGJlpr3J5Z4Q8NrHUVEpEdE+oGJ:GuWd/oGljJ5CQuQuWd/oG
Score10/10-
Guloader family
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
$70k MT 30JAN.exe
-
Size
68KB
-
MD5
46bbf5e855bc75bac0102f64ef89d020
-
SHA1
9ae433aa63784d9ca7d614859bdd27fd1f377b68
-
SHA256
f51c1470741a6272f90a147fc717bbbc8808a92107e7c16f7c1ff57c69ee2791
-
SHA512
30072e2a142563d111d3671f055da9a9ed075ae9f6809bbb85136d923112d3b4e4d9d877f6fb470d0170823ef219e70a0400ef868e9454d340055e83aa5e0599
-
SSDEEP
768:kQOK55sy7IbEfUMMuqe+bQ8u4OK55sy7IbEfUM:kXKn95InnbQ8GKn95
Score10/10-
Guloader family
-
Guloader payload
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
03-02-20.exe
-
Size
1.4MB
-
MD5
bd60799f301063dc0f421c2c931ccfdc
-
SHA1
2a62f63630f28ae0634605b361410bbc8ed1eacd
-
SHA256
582378f817f2393d4fc8d78c493de7e6f2639c4b2aca466e277d47ca53a3f092
-
SHA512
7b502d4fd1f1372e2de7e06d1c3cc8f2baecbeab5dfd483b563dce4dbaa2bc0642bf7d6800e05e97580a0e813857c7737952a66c7f1e5fc0a587b3d9ce555c48
-
SSDEEP
24576:yu6J33O0c+JY5UZ+XC0kGso6FaNDqdyUOW2xB5KDthptAMXDYP3VcSYvOPWY:0u0c++OCvkGs9FaNGdyUOW2xBkDPpmMS
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
AgentTesla payload
-
Drops startup file
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
20191107145436608.exe
-
Size
68KB
-
MD5
97393d9e6eaa2b3481cac21c96fbaeca
-
SHA1
5bdfc65074dcdad5f27039e68585d4f650f5d712
-
SHA256
de6adf588622a2f3a30bb2ba35c9a51d6d3a8ae854c145c1ea1815cc15172a24
-
SHA512
9d06803a8c8e0f2bdcf5a56f188055f0e5dfcd24231626e043c2bf06388ba8032d8f940b8ee5b60cb64ec3326ee9f2adef8f63a4a9d927038692fdbbb44520a6
-
SSDEEP
1536:IxAPHeWBb/FM7gKbYbY0yQnPMEQSyQtBb/FM7gKbYbY:MWE7gmQnPZQTQtE7g
Score10/10-
Guloader family
-
Guloader payload
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
2019111211292579875_BankInfo.exe
-
Size
116KB
-
MD5
88eaf0228d3e91df53e98cc856460d58
-
SHA1
ff55b60f33dc532d3c3ead9efe2e44edf3e07b45
-
SHA256
115f68c5b3dcdd290f1aed783b1485915fda14f9840b132f519e9eb67c561e41
-
SHA512
062c26490796cef240aaced3a346d4ed55d32f91ef07f52b04eb9cd2a150d8e49774582a5f66b96c2e3394c63c84c94388a28959a95d2f63c136bf6e8e6d329f
-
SSDEEP
1536:Jl1cZnZjQkVjKSeRyfwLAY1DqOwvRyNnZjQkVjKSuTN1:JlKPUkVjKVROwJJBwvReUkVjKvR1
Score10/10-
Guloader family
-
Guloader payload
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
2020 ORDERS.exe
-
Size
48KB
-
MD5
73286015e393e84ed9de6bac47026c0e
-
SHA1
a25fc0f6100b97e522875ffc650b90e22db399c2
-
SHA256
9e4af6893873207e1945b734ceddef69ebcbe5c2b6b68a1a2a3b8adbc04a241f
-
SHA512
23971c9b8d59ff4a19ae7ab6f5601cb7a52b043a1565281afa752d1806e084cb2328d1d166b778d01a53581de80507fa0b280abf08d53a6adf293eb9031bc630
-
SSDEEP
768:C/L/6YGYmNJ/AKXN0iRLVbqHoKyQG0F0aQK3LSTZof7:C/k7/AeeiZVbhUTyDseT87
Score10/10-
Guloader family
-
Guloader payload
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
624880_ZOC10280374040_IFP_PT.exe
-
Size
1.5MB
-
MD5
a94a92a26e007e7bd968f6fb01a0095b
-
SHA1
f6b1610de7bdeaedfc72a3ba0cdb68078121c080
-
SHA256
432fc1341719ea2bcaebcee83f96b20ad7e86cdeac01870377816738f50b3b7c
-
SHA512
a6f911d84e14b20a147f7806649f904293513c28be444d5530f188396edde386fb183034c2a48af00ed9f9b5196c63cd63b59f60f770c20d5302382dcef9ccf6
-
SSDEEP
24576:82rT5JibBsR1YAcUSWcPsPQcVnJtCaYFA9M3CSLf2z4Nnjxs2+NhunQQS+PDYeoU:NpJ22R1rcUWPsPFVrCaYNSSLfY4/GTuj
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
AgentTesla payload
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
ADMIN DEPT. INVOICES 482 SGT STATEMENT.exe
-
Size
72KB
-
MD5
bebdb7689b5697c9c63a45b3f367151b
-
SHA1
76fba6d49342b6a66212e5fa412b378938d27ffa
-
SHA256
a8465b4f33e83daa0a165222ced1ada582be57b3d55f386dacbbce8463f31256
-
SHA512
03ab75ef2ddb1b2389f4d88d6e19448dd93a25498e8393eaf69356385d11b9d7329cde4869fa4dd9321942a7f63ba32f0c1c85353de7848439071c8630d00bd8
-
SSDEEP
1536:LQtJgJi0e+J9VbfiFmRZ9KbyVbrJgJi0e+J:kwE+HVrKbyVnwE+
Score10/10-
Guloader family
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
AWB_TR0089.exe
-
Size
1.2MB
-
MD5
6c2e87cf5c1a84fdaedb4074dbf92922
-
SHA1
bab5f9acfccd5f692223139570d3abc5c85bab78
-
SHA256
e362b06fee19208104988e8904e295630612296a60244020ffbef7d6df22cd2f
-
SHA512
333d44f682154240b99e86308a55ba659b8fff4dcf9dea82293e6c7bbc16dd6adc82ee1774042766b66974b7f1d82c6755967e4a2c73e2e81bf1623488db3fef
-
SSDEEP
24576:fu6J33O0c+JY5UZ+XC0kGso6FayAwm8bU8RkjbHAq9LWY:pu0c++OCvkGs9Fayn1UPTA9Y
Score3/10 -
-
-
Target
Avis de virement.exe
-
Size
124KB
-
MD5
63a9dd43976a1fee9357d85367a23fac
-
SHA1
2951b3d16d7449f857d88cfa403367d98a5b49b4
-
SHA256
2922b5cec1af1aa38e62b79f1b6618c7e110bee195c1defe6a642f320954b141
-
SHA512
1793f07462b2fba3c3a93365175f2dffb978fb4696535540897194ae0dd4ac3442ca8d29fdc53b3412448856003dc0b05611b6ac6cf30bf3726a899a9f59b04f
-
SSDEEP
1536:ROLrNLj8qgCSnfadnBTITmG49afNLj8qgCSnfaddLO:ALrNLrtdnBMl49afNLrtddC
Score10/10-
Guloader family
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
BL-INVOICE SHIPPING DOCS.exe
-
Size
188KB
-
MD5
cc8150c1885727315c860476ce8ebae0
-
SHA1
dbca815ec369cff43692a34d84be2a360589e78f
-
SHA256
a4abc0bc968eada66e95fe7b0812f4cb11838f77fed0d2d46e4be0071284e725
-
SHA512
e8dbc4d502585596c5ac9464e43b903499d7ec4fb5784e0bca3f581f4e249bc8c15bff5f5eb3588cface35ff8e72991f097f826895688f22bd1e643ef9ef74f3
-
SSDEEP
3072:JrJRUvveVOHX1ZaGDYxF0qrUvveVOHX1ZaGDruz:1JuvmV2X14GDaF0tvmV2X14GDru
Score10/10-
Guloader family
-
Guloader payload
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
BMS PO 4820.exe
-
Size
124KB
-
MD5
1a935bd1a54484f0e02172f00a05d223
-
SHA1
0845159084e5ff0bfcd1459686cbde277a56d3c2
-
SHA256
ba9453ec62ef440d13e1e0e7bcd7fc391a5bfd80fd0db7350bd5824d41385757
-
SHA512
eb38e3e6909aadce68d47c9859da83bb0b2b2668baeaaa9d29223007f08de37cdd192101e1b883d1682b48d44b930cd2205776a670f41cd8627503f6db3261a1
-
SSDEEP
1536:4bR9CTg/c9iG0LL7Le5KaWbR9CTg/c9iG0L:427YVDmW27YV
Score10/10-
Guloader family
-
Guloader payload
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
BSO_191120201_430001882_SHpdf.exe
-
Size
1.2MB
-
MD5
2eacbb19f0cdcba736b90ebb240d5141
-
SHA1
844eb3e63f6f79c80a006d05e36e7c855061a61f
-
SHA256
e2f632cc377b027e80f2045f2bab2c0a4467c2ba0e1c9327a7e174bdef7de841
-
SHA512
1d766629b62a88b6dbbf858387e2169ec64ffffe85ca6bcfcebe02a58a38ac7b6839c964d5c44048686611c98c26460a27ddae83396639945bdd486c638830b0
-
SSDEEP
24576:vu6J33O0c+JY5UZ+XC0kGso6Far6NoJy+0CPgYwflf0psWY:Zu0c++OCvkGs9Far3D0CIYUfKY
Score10/10-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzonerat family
-
Warzone RAT payload
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
Bank Information.exe
-
Size
60KB
-
MD5
8f30fe69d5146ed6130120da495a87f2
-
SHA1
042be30d423150c335bad3556bb4d290b24c97cc
-
SHA256
dd23cc62b3dcf7ae6a4063b8a64d925f3b796692c624dde7f9b1b3ee5692c7f5
-
SHA512
48272c92bfee25c7a8db5b89eaccbbf6d78fce6b05362f05beb1e90ce47fd0435746234d9eb0cb87126c978b3d3a44091f2398afdcbce916239f53d27a52525f
-
SSDEEP
768:VkDKf+cjuzt1CfCmaW5qXgmT/JdfFBKy7psh:Vk2F5amaW51a/DR7Kh
Score10/10-
Guloader family
-
Guloader payload
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
C.V - Experience Certificates.exe
-
Size
771KB
-
MD5
083766ee56eb8c53f078ff95d816ef50
-
SHA1
f485048ce97918372635a7cd933b1be63b73c9e4
-
SHA256
d6c7734e6091151fe53c158d2b6323e589dca3e6e5651deaaa04d9e979cd0813
-
SHA512
49c6bb577c676f1b1965eeb5095ce43c4d43f617327541fc1256c932389c3cc68267234b01a56bfcb8a4bfd84029b7c6f6c23c9df9fb6d218dc9949919087c97
-
SSDEEP
12288:0qXK6MkXbaO4OjWamNDuxLZKfj4Csv8wpl70COt2H2FMucigw4baW7Ux:06qWbcOj6Sx9i4JUwf7Um2FMnXU
Score3/10 -
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
5Credentials In Files
4Credentials in Registry
1