General

  • Target

    JaffaCakes118_b3cc4e1f09aa77a31e7071f2a505bfe5f13f9ec3cb73997b0d4a5ac36fc710fa

  • Size

    39.4MB

  • Sample

    241224-rht34azjgl

  • MD5

    740d3f8ce89c4a34cddfb12c0d1014b3

  • SHA1

    4742325ed1711e75a959b2697dd8718dcde18fb4

  • SHA256

    b3cc4e1f09aa77a31e7071f2a505bfe5f13f9ec3cb73997b0d4a5ac36fc710fa

  • SHA512

    ad7ad5210698554000f49fc58b904d02e1932a0e281ff31b6b9c68e76aaa25113747da034502fd8151a61e11ae134d05c7b73a4ff61267e66a1ad8a47f4d9cf6

  • SSDEEP

    786432:q/328rvIhfpHH5mszuEu0+t6I4aBDNvonFk2jZAofnsPUxF:cG8iULEuL6IxronHioffxF

Malware Config

Extracted

Family

guloader

C2

https://cranetechllc.ml/omega22.bin

https://drive.google.com/uc?export=download&id=1XjUHIgW5T6HcodhQNf4poqrFbSYVe2Qd

http://careint.pw/docs/pdf/arab_encrypted_6CFC030.bin

https://drive.google.com/uc?export=download&id=1VToYtsw5rlxVp08dM1TZ1rGrnrsQ10fg

https://drive.google.com/uc?export=download&id=10FzFkYCZotTZUmUFkblyfcqV3Pl8H5cS

https://drive.google.com/uc?export=download&id=1q-1xTD9weiWyiJIbO51ubhF470YCiWrW

https://drive.google.com/uc?export=download&id=1qCk1c-sywYiSOatB4J7OY2cPPHJ88OmZ

https://serviciotecnicoenperu.com/UGOPOUNDS%20FILE%20LOKI_encrypted_982F15F.bin

xor.base64
xor.base64
xor.base64
xor.base64
xor.base64
xor.base64

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    us2.smtp.mailhostbox.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    nVGdKgL2

Extracted

Family

warzonerat

C2

79.134.225.29:1960

Targets

    • Target

      #Order#.exe

    • Size

      1.5MB

    • MD5

      1155e9051add5caf1f9ddb9800bd8814

    • SHA1

      8fc58515afa1f27ca5ca6ae3d9cdd4828475f899

    • SHA256

      2145b4c5abd6f3c3ab4daa594069968619841f90e971b2f4d910f8b5f964389f

    • SHA512

      76d87144c1db1e17dc970e2745560fc2b19376f066cd82a4421a1a23c17163fc4182944a65aab55473a6d2262e8e9708bc9aafeffa04a284f99fa6e32f41ff44

    • SSDEEP

      24576:pu6J33O0c+JY5UZ+XC0kGso6Fa1Ir7BiazQsNAcL4pIhjbu/o57HtWY:Lu0c++OCvkGs9Fa1IIPaLiIhuqcY

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Agenttesla family

    • AgentTesla payload

    • Drops startup file

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

    • Target

      #QTN-20-971-JA04Q7..exe

    • Size

      76KB

    • MD5

      be4aafc0bb1b1108fd43c52d23f7bc82

    • SHA1

      058ef7378000cd15d93e3e3dabec76a74e50d1f7

    • SHA256

      84a52d8714b6e93f7361b6884e2c292d2768d583e2f01cb3eda25d7bda701eff

    • SHA512

      20a649b338c36d2baf586efddfb9c416818bec38de25c4f8e7f567fecaa6211cedbcd2e045be99ede6e3e2dd188115e7f58722519ea74478ab453a69e1beb647

    • SSDEEP

      1536:E4BUVEpEdE+oGJlpr3J5Z4Q8NrHUVEpEdE+oGJ:GuWd/oGljJ5CQuQuWd/oG

    • Guloader family

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      $70k MT 30JAN.exe

    • Size

      68KB

    • MD5

      46bbf5e855bc75bac0102f64ef89d020

    • SHA1

      9ae433aa63784d9ca7d614859bdd27fd1f377b68

    • SHA256

      f51c1470741a6272f90a147fc717bbbc8808a92107e7c16f7c1ff57c69ee2791

    • SHA512

      30072e2a142563d111d3671f055da9a9ed075ae9f6809bbb85136d923112d3b4e4d9d877f6fb470d0170823ef219e70a0400ef868e9454d340055e83aa5e0599

    • SSDEEP

      768:kQOK55sy7IbEfUMMuqe+bQ8u4OK55sy7IbEfUM:kXKn95InnbQ8GKn95

    • Guloader family

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • Guloader payload

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      03-02-20.exe

    • Size

      1.4MB

    • MD5

      bd60799f301063dc0f421c2c931ccfdc

    • SHA1

      2a62f63630f28ae0634605b361410bbc8ed1eacd

    • SHA256

      582378f817f2393d4fc8d78c493de7e6f2639c4b2aca466e277d47ca53a3f092

    • SHA512

      7b502d4fd1f1372e2de7e06d1c3cc8f2baecbeab5dfd483b563dce4dbaa2bc0642bf7d6800e05e97580a0e813857c7737952a66c7f1e5fc0a587b3d9ce555c48

    • SSDEEP

      24576:yu6J33O0c+JY5UZ+XC0kGso6FaNDqdyUOW2xB5KDthptAMXDYP3VcSYvOPWY:0u0c++OCvkGs9FaNGdyUOW2xBkDPpmMS

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Agenttesla family

    • AgentTesla payload

    • Drops startup file

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    • Target

      20191107145436608.exe

    • Size

      68KB

    • MD5

      97393d9e6eaa2b3481cac21c96fbaeca

    • SHA1

      5bdfc65074dcdad5f27039e68585d4f650f5d712

    • SHA256

      de6adf588622a2f3a30bb2ba35c9a51d6d3a8ae854c145c1ea1815cc15172a24

    • SHA512

      9d06803a8c8e0f2bdcf5a56f188055f0e5dfcd24231626e043c2bf06388ba8032d8f940b8ee5b60cb64ec3326ee9f2adef8f63a4a9d927038692fdbbb44520a6

    • SSDEEP

      1536:IxAPHeWBb/FM7gKbYbY0yQnPMEQSyQtBb/FM7gKbYbY:MWE7gmQnPZQTQtE7g

    • Guloader family

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • Guloader payload

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      2019111211292579875_BankInfo.exe

    • Size

      116KB

    • MD5

      88eaf0228d3e91df53e98cc856460d58

    • SHA1

      ff55b60f33dc532d3c3ead9efe2e44edf3e07b45

    • SHA256

      115f68c5b3dcdd290f1aed783b1485915fda14f9840b132f519e9eb67c561e41

    • SHA512

      062c26490796cef240aaced3a346d4ed55d32f91ef07f52b04eb9cd2a150d8e49774582a5f66b96c2e3394c63c84c94388a28959a95d2f63c136bf6e8e6d329f

    • SSDEEP

      1536:Jl1cZnZjQkVjKSeRyfwLAY1DqOwvRyNnZjQkVjKSuTN1:JlKPUkVjKVROwJJBwvReUkVjKvR1

    • Guloader family

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • Guloader payload

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      2020 ORDERS.exe

    • Size

      48KB

    • MD5

      73286015e393e84ed9de6bac47026c0e

    • SHA1

      a25fc0f6100b97e522875ffc650b90e22db399c2

    • SHA256

      9e4af6893873207e1945b734ceddef69ebcbe5c2b6b68a1a2a3b8adbc04a241f

    • SHA512

      23971c9b8d59ff4a19ae7ab6f5601cb7a52b043a1565281afa752d1806e084cb2328d1d166b778d01a53581de80507fa0b280abf08d53a6adf293eb9031bc630

    • SSDEEP

      768:C/L/6YGYmNJ/AKXN0iRLVbqHoKyQG0F0aQK3LSTZof7:C/k7/AeeiZVbhUTyDseT87

    • Guloader family

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • Guloader payload

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      624880_ZOC10280374040_IFP_PT.exe

    • Size

      1.5MB

    • MD5

      a94a92a26e007e7bd968f6fb01a0095b

    • SHA1

      f6b1610de7bdeaedfc72a3ba0cdb68078121c080

    • SHA256

      432fc1341719ea2bcaebcee83f96b20ad7e86cdeac01870377816738f50b3b7c

    • SHA512

      a6f911d84e14b20a147f7806649f904293513c28be444d5530f188396edde386fb183034c2a48af00ed9f9b5196c63cd63b59f60f770c20d5302382dcef9ccf6

    • SSDEEP

      24576:82rT5JibBsR1YAcUSWcPsPQcVnJtCaYFA9M3CSLf2z4Nnjxs2+NhunQQS+PDYeoU:NpJ22R1rcUWPsPFVrCaYNSSLfY4/GTuj

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Agenttesla family

    • AgentTesla payload

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • Target

      ADMIN DEPT. INVOICES 482 SGT STATEMENT.exe

    • Size

      72KB

    • MD5

      bebdb7689b5697c9c63a45b3f367151b

    • SHA1

      76fba6d49342b6a66212e5fa412b378938d27ffa

    • SHA256

      a8465b4f33e83daa0a165222ced1ada582be57b3d55f386dacbbce8463f31256

    • SHA512

      03ab75ef2ddb1b2389f4d88d6e19448dd93a25498e8393eaf69356385d11b9d7329cde4869fa4dd9321942a7f63ba32f0c1c85353de7848439071c8630d00bd8

    • SSDEEP

      1536:LQtJgJi0e+J9VbfiFmRZ9KbyVbrJgJi0e+J:kwE+HVrKbyVnwE+

    • Guloader family

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      AWB_TR0089.exe

    • Size

      1.2MB

    • MD5

      6c2e87cf5c1a84fdaedb4074dbf92922

    • SHA1

      bab5f9acfccd5f692223139570d3abc5c85bab78

    • SHA256

      e362b06fee19208104988e8904e295630612296a60244020ffbef7d6df22cd2f

    • SHA512

      333d44f682154240b99e86308a55ba659b8fff4dcf9dea82293e6c7bbc16dd6adc82ee1774042766b66974b7f1d82c6755967e4a2c73e2e81bf1623488db3fef

    • SSDEEP

      24576:fu6J33O0c+JY5UZ+XC0kGso6FayAwm8bU8RkjbHAq9LWY:pu0c++OCvkGs9Fayn1UPTA9Y

    Score
    3/10
    • Target

      Avis de virement.exe

    • Size

      124KB

    • MD5

      63a9dd43976a1fee9357d85367a23fac

    • SHA1

      2951b3d16d7449f857d88cfa403367d98a5b49b4

    • SHA256

      2922b5cec1af1aa38e62b79f1b6618c7e110bee195c1defe6a642f320954b141

    • SHA512

      1793f07462b2fba3c3a93365175f2dffb978fb4696535540897194ae0dd4ac3442ca8d29fdc53b3412448856003dc0b05611b6ac6cf30bf3726a899a9f59b04f

    • SSDEEP

      1536:ROLrNLj8qgCSnfadnBTITmG49afNLj8qgCSnfaddLO:ALrNLrtdnBMl49afNLrtddC

    • Guloader family

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      BL-INVOICE SHIPPING DOCS.exe

    • Size

      188KB

    • MD5

      cc8150c1885727315c860476ce8ebae0

    • SHA1

      dbca815ec369cff43692a34d84be2a360589e78f

    • SHA256

      a4abc0bc968eada66e95fe7b0812f4cb11838f77fed0d2d46e4be0071284e725

    • SHA512

      e8dbc4d502585596c5ac9464e43b903499d7ec4fb5784e0bca3f581f4e249bc8c15bff5f5eb3588cface35ff8e72991f097f826895688f22bd1e643ef9ef74f3

    • SSDEEP

      3072:JrJRUvveVOHX1ZaGDYxF0qrUvveVOHX1ZaGDruz:1JuvmV2X14GDaF0tvmV2X14GDru

    • Guloader family

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • Guloader payload

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      BMS PO 4820.exe

    • Size

      124KB

    • MD5

      1a935bd1a54484f0e02172f00a05d223

    • SHA1

      0845159084e5ff0bfcd1459686cbde277a56d3c2

    • SHA256

      ba9453ec62ef440d13e1e0e7bcd7fc391a5bfd80fd0db7350bd5824d41385757

    • SHA512

      eb38e3e6909aadce68d47c9859da83bb0b2b2668baeaaa9d29223007f08de37cdd192101e1b883d1682b48d44b930cd2205776a670f41cd8627503f6db3261a1

    • SSDEEP

      1536:4bR9CTg/c9iG0LL7Le5KaWbR9CTg/c9iG0L:427YVDmW27YV

    • Guloader family

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • Guloader payload

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      BSO_191120201_430001882_SHpdf.exe

    • Size

      1.2MB

    • MD5

      2eacbb19f0cdcba736b90ebb240d5141

    • SHA1

      844eb3e63f6f79c80a006d05e36e7c855061a61f

    • SHA256

      e2f632cc377b027e80f2045f2bab2c0a4467c2ba0e1c9327a7e174bdef7de841

    • SHA512

      1d766629b62a88b6dbbf858387e2169ec64ffffe85ca6bcfcebe02a58a38ac7b6839c964d5c44048686611c98c26460a27ddae83396639945bdd486c638830b0

    • SSDEEP

      24576:vu6J33O0c+JY5UZ+XC0kGso6Far6NoJy+0CPgYwflf0psWY:Zu0c++OCvkGs9Far3D0CIYUfKY

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzonerat family

    • Warzone RAT payload

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • Target

      Bank Information.exe

    • Size

      60KB

    • MD5

      8f30fe69d5146ed6130120da495a87f2

    • SHA1

      042be30d423150c335bad3556bb4d290b24c97cc

    • SHA256

      dd23cc62b3dcf7ae6a4063b8a64d925f3b796692c624dde7f9b1b3ee5692c7f5

    • SHA512

      48272c92bfee25c7a8db5b89eaccbbf6d78fce6b05362f05beb1e90ce47fd0435746234d9eb0cb87126c978b3d3a44091f2398afdcbce916239f53d27a52525f

    • SSDEEP

      768:VkDKf+cjuzt1CfCmaW5qXgmT/JdfFBKy7psh:Vk2F5amaW51a/DR7Kh

    • Guloader family

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • Guloader payload

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      C.V - Experience Certificates.exe

    • Size

      771KB

    • MD5

      083766ee56eb8c53f078ff95d816ef50

    • SHA1

      f485048ce97918372635a7cd933b1be63b73c9e4

    • SHA256

      d6c7734e6091151fe53c158d2b6323e589dca3e6e5651deaaa04d9e979cd0813

    • SHA512

      49c6bb577c676f1b1965eeb5095ce43c4d43f617327541fc1256c932389c3cc68267234b01a56bfcb8a4bfd84029b7c6f6c23c9df9fb6d218dc9949919087c97

    • SSDEEP

      12288:0qXK6MkXbaO4OjWamNDuxLZKfj4Csv8wpl70COt2H2FMucigw4baW7Ux:06qWbcOj6Sx9i4JUwf7Um2FMnXU

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks

static1

guloader
Score
10/10

behavioral1

agentteslacollectiondiscoverykeyloggerspywarestealertrojan
Score
10/10

behavioral2

agentteslacollectiondiscoverykeyloggerspywarestealertrojan
Score
10/10

behavioral3

guloaderdiscoverydownloader
Score
10/10

behavioral4

guloaderdiscoverydownloader
Score
10/10

behavioral5

guloaderdiscoverydownloaderguloader
Score
10/10

behavioral6

guloaderdiscoverydownloaderguloader
Score
10/10

behavioral7

agentteslacollectioncredential_accessdiscoverykeyloggerspywarestealertrojan
Score
10/10

behavioral8

agentteslacollectioncredential_accessdiscoverykeyloggerspywarestealertrojan
Score
10/10

behavioral9

guloaderdiscoverydownloaderguloader
Score
10/10

behavioral10

guloaderdiscoverydownloaderguloader
Score
10/10

behavioral11

guloaderdiscoverydownloaderguloader
Score
10/10

behavioral12

guloaderdiscoverydownloaderguloader
Score
10/10

behavioral13

guloaderdiscoverydownloaderguloader
Score
10/10

behavioral14

guloaderdiscoverydownloaderguloader
Score
10/10

behavioral15

agentteslacollectioncredential_accessdiscoverykeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral16

agentteslacollectioncredential_accessdiscoverykeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral17

guloaderdiscoverydownloader
Score
10/10

behavioral18

guloaderdiscoverydownloader
Score
10/10

behavioral19

discovery
Score
3/10

behavioral20

discovery
Score
3/10

behavioral21

guloaderdiscoverydownloader
Score
10/10

behavioral22

guloaderdiscoverydownloader
Score
10/10

behavioral23

guloaderdiscoverydownloaderguloader
Score
10/10

behavioral24

guloaderdiscoverydownloaderguloader
Score
10/10

behavioral25

guloaderdiscoverydownloaderguloader
Score
10/10

behavioral26

guloaderdiscoverydownloaderguloader
Score
10/10

behavioral27

warzoneratdiscoveryinfostealerpersistencerat
Score
10/10

behavioral28

warzoneratdiscoveryinfostealerpersistencerat
Score
10/10

behavioral29

guloaderdiscoverydownloaderguloader
Score
10/10

behavioral30

guloaderdiscoverydownloaderguloader
Score
10/10

behavioral31

discovery
Score
3/10

behavioral32

discovery
Score
3/10