agenttesla | d36e8aa297749e5909316230b55c07fa185761d2f58699e6caefdf3a8141168e

Sharing

Copy URL

Twitter E-mail

General

Target

infected.7z
Size

80.4MB
Sample

250312-rmbgjstr18
MD5

cf25242af21ffb257ec3b670fe3bff9c
SHA1

a96400547e93790a9b16450ae0fff715efd6fc21
SHA256

d36e8aa297749e5909316230b55c07fa185761d2f58699e6caefdf3a8141168e
SHA512

f2ed8221f1bb3140115d3c170495a24cc6adc28b3a87b51f2c0ae583c4b4710fba9217e66d0df859db5c250ea47ba07eae174e146b13bd791b9d65983e4c9567
SSDEEP

1572864:9c2eO+OHpOV3D8iOjaVPBHd4uiehiH1W9e7uKweDrnI3ZW6yFwdAf67u2CZo9h:m2eO+OJE3IYd6VH1W9e7/prnI3ZWDWAk

Malware Config

Extracted

Family

mirai

Botnet

MIRAI

botnet.goelites.cc

Extracted

Family

gafgyt

209.126.73.248:839

45.144.29.99:42516

104.206.252.100:42516

217.61.7.114:72

107.172.137.175:7777

85.204.116.33:717

192.223.29.160:42516

Extracted

Family

mirai

Botnet

MIRAI

botnet.goelites.cc

Extracted

Family

mirai

Botnet

MIRAI

Extracted

Family

xorddos

http://aa.hostasa.org/game.rar

ns3.hostasa.org:3306

ns4.hostasa.org:3306

ns1.hostasa.org:3306

ns2.hostasa.org:3306

ns3.hostasa.org:3310

ns4.hostasa.org:3310

ns1.hostasa.org:3310

ns2.hostasa.org:3310

http://info1.3000uc.com/b/u.php

gh.dsaj2a1.org:2822

www.wangzongfacai.com:2822

174.139.217.145:2822

ns3.hostasa.org:3308

ns4.hostasa.org:3308

ns1.hostasa.org:3308

ns2.hostasa.org:3308

ns3.hostasa.org:3307

ns4.hostasa.org:3307

ns1.hostasa.org:3307

Attributes

crc_polynomial
EDB88320

xor.plain

Extracted

Family

redosdru

http://42.51.154.54:88/NetSyst81.dll

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
webmail.ombakparadise.com
Port:
587
Username:
[email protected]
Password:
ce$%^mirah

Extracted

Family

nanocore

Version

1.2.2.0

192.168.1.1:54984

127.0.0.1:54984

Mutex

4e3184db-fd2f-47b2-8daf-030abc4baf4c

Attributes

activate_away_mode
true
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2021-09-12T00:43:48.877032236Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
54984
default_group
HelloWorld
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
4e3184db-fd2f-47b2-8daf-030abc4baf4c
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
192.168.1.1
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Extracted

Family

pony

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Extracted

Family

mirai

Botnet

MIRAI

Extracted

Family

njrat

Version

0.7d

Botnet

MyBot

8.tcp.ngrok.io:13962

Mutex

aaffeb7a5f54025070b8e182b1fa7d98

Attributes

reg_key
aaffeb7a5f54025070b8e182b1fa7d98
splitter
Y262SUCZ4UJJ

Extracted

Family

cobaltstrike

Botnet

1359593325

http://173.234.155.223:80/boxes.css

Attributes

access_type
512
host
173.234.155.223,/boxes.css
http_header1
AAAAEAAAABtIb3N0OiBzeW1hbnRlY3NlY3VyaXR5dC5jb20AAAAKAAAAEUNvbm5lY3Rpb246IGNsb3NlAAAACgAAABJBY2NlcHQ6IGltYWdlL2pwZWcAAAAHAAAAAAAAAAsAAAADAAAAAgAAADV3b3JkcHJlc3NfbG9nZ2VkX2luXzE4NzBhODI5ZDliYzY5YWJmNTAwZWNhNmYwMDI0MWZlPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAAEAAAABtIb3N0OiBzeW1hbnRlY3NlY3VyaXR5dC5jb20AAAAKAAAAEUNvbm5lY3Rpb246IGNsb3NlAAAACgAAABVBY2NlcHQtRW5jb2Rpbmc6IGd6aXAAAAAKAAAAL0NvbnRlbnQtVHlwZTogYXBwbGljYXRpb24veC13d3ctZm9ybS11cmxlbmNvZGVkAAAABwAAAAEAAAAPAAAAAwAAAAIAAAAHYnJva2VuPQAAAAQAAAAHAAAAAAAAAAMAAAACAAAADl9fc2Vzc2lvbl9faWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
11008
polling_time
61757
port_number
80
sc_process32
%windir%\syswow64\WUAUCLT.exe
sc_process64
%windir%\sysnative\WUAUCLT.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJvC2CQYaIouT41kXKVNrM5lLvclGJRE+i3ves+vC0AADUWTPs64Dn/B4eKlQKPpbC/8IgJjadD/B9pZiY8XUlk4dvaagLdjBCq7uSxS+KhVVsX46LBSBgIxaE4AeoZvwBD2n0wdeeI2sbkMvDhhv5s6Nmz12sAtOVGdr8cX3s5QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
2.708806656e+09
unknown2
AAAABAAAAAIAAAPVAAAAAwAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/ce
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246
watermark
1359593325

Targets

- Target
  
  06038ed7357e8d00e0fcef11800dfb40.vir
- Size
  
  1.8MB
- MD5
  
  06038ed7357e8d00e0fcef11800dfb40
- SHA1
  
  4b885a0e2fa5b59338622ef7f2859c232d7ab7c6
- SHA256
  
  d85c8bbec339bdefe5e4c4409816554173974ffccd31272d5fcf138d022122d2
- SHA512
  
  6200aa51102d71eca42ecebd04253ce915244ef86a8409d6a3e86c9402e7081f3b4bebdfa9718543df3d332b17e6ec758d9556c533493d945905656108c72cbc
- SSDEEP
  
  49152:QIRg5x6slKZZPCPXNYJLfUWoU/OoGbnQ/7WUT9DMQloU/8:He5x6slKZTolo1loN
Score

8^/10

discovery persistence ransomware
- Drops file in Drivers directory
- Adds Run key to start application
  persistence
- Sets desktop wallpaper using registry
  ransomware
behavioral1
- Target
  
  0673936fc0472890d129258bc6ce1f9b.vir
- Size
  
  180KB
- MD5
  
  0673936fc0472890d129258bc6ce1f9b
- SHA1
  
  8a7f09e6afa2761a55b6432616b747c07c93982a
- SHA256
  
  9f0678e4ac2b46a2bc79ba5ed83cb678d8e266655bc4102cedbbe2a8a13959c3
- SHA512
  
  8b5972f0f1be5fb5d07b877952ae587ec1c61d63c429b88d1c50dfb3238508fe396c22935c0eea6aa83048b2f52ec4cf611823db3dba93a9a40be1ca39affef5
- SSDEEP
  
  3072:CHRJs3d6kEWoh9LkttV+zz3SDYe7hYHYmOZkqzdmwCr4:kJTwI9LkPYuDYeuH837
Score

1^/10
behavioral2
- Target
  
  07b3c7c475a0204f34408d806a4d0883.vir
- Size
  
  60KB
- MD5
  
  07b3c7c475a0204f34408d806a4d0883
- SHA1
  
  72da95ef18d46b5ff6f75c90da29d294e8e755cf
- SHA256
  
  457bf2d5752e50d343a655993e9f308a616f4123c5fbebbc369f12c49bd502b6
- SHA512
  
  4c57ce6ee744227219cdfdea5e67efe605c62d7ae99233a9b886bdf0144c70f0317be3ba5dd01c097284c3c86e7005165b9d74ef43fcf28d8d5fd34717c0f1c2
- SSDEEP
  
  768:5blRLS2f/IbhNGgkqUpbj3Pl4SSbUtkokv9N:bBSI/UGg6P326tkokf
Score

3^/10

discovery
behavioral3
- Target
  
  097910dc615bd581069c0ec67fa513d0.vir
- Size
  
  193KB
- MD5
  
  097910dc615bd581069c0ec67fa513d0
- SHA1
  
  00597735a09afbe12ad29ea00ede40733c67801c
- SHA256
  
  25b2ae77c2dc71ca729c153cce1615b77a396ff4ba598928c788eec57f1777fe
- SHA512
  
  cdf2464377db2fc6c2b2c665ac903e74cfde99a3e6cc6acd7d0d2ad6d417d442b27760b79d14693e3ba27d0a1b8a3d0355f48521d9847ab30c38e8541de92752
- SSDEEP
  
  3072:/8QYOkCol9wKhIDDVX1oWPBy4UAhZErjmZPwmlrNChgC:/8QtAwKhK1oWPf6mx56
Score

10^/10

smokeloader backdoor discovery trojan
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Smokeloader family
  smokeloader
- Suspicious use of SetThreadContext
behavioral4
- Target
  
  0bb3e9c660f99967ca4c8e21bc46e940.vir
- Size
  
  196KB
- MD5
  
  0bb3e9c660f99967ca4c8e21bc46e940
- SHA1
  
  4f4683250a24c1c752fc774d4c9b3c032f4e59ba
- SHA256
  
  c74fe9b5ed555b14d9b73d9fe53b4e3722f837ded57ae475d540d8b070410b97
- SHA512
  
  84aa508e7612098da66e689a1cc10880a62c9a498706b6a0cd3371f7144ce6a1006974987bcf6d39456a6b9b319cc77a6559ed0a5260639d12566ed2b3f93c38
- SSDEEP
  
  3072:OybtB0tQ9nLHbB9WJvA7DejJuKvEhfmHZ7:R4QxL7B9WSvejJuB+B
Score

10^/10

defense_evasion discovery persistence
- Modifies visiblity of hidden/system files in Explorer
  defense_evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral5
- Target
  
  0c80a0ef434aaecd6b1c888567935b97.vir
- Size
  
  410KB
- MD5
  
  0c80a0ef434aaecd6b1c888567935b97
- SHA1
  
  ad6730df896f7bb0e4379b8ac543c704f70f8292
- SHA256
  
  bb7850028720aace62daf55e8ba0bcf0b1040ebe20f3035873e9fd7130ced767
- SHA512
  
  7a8b601b6d027c0f017a620aa117c7183c05170aa6f90c4a2a177ad82b938f00b181007d69eea128b4ee738b2397a2448e2a33801daa102bfdf2b39f1917e6de
- SSDEEP
  
  6144:4ta0cy+o0ecIJw2qDukfgpFyuItrcF7Faf3DROwunbNvTr:eXP0yJvqDlQFyuItgZiTROwuxvTr
Score

10^/10

defense_evasion discovery
- Modifies firewall policy service
  defense_evasion
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral6
- Target
  
  0cae2144249cca11917ce26657fc0281.vir
- Size
  
  176KB
- MD5
  
  0cae2144249cca11917ce26657fc0281
- SHA1
  
  e7ffc36c62c26e987c6954e4739a306a95d119e1
- SHA256
  
  5fa749158a4dd5dd030bb97a5ca74a542ae4661b2a76ec69b29d41c3a32e8767
- SHA512
  
  50c5ea18407b74fc5d741d602c87a28c0bfebb348a8ff1710026951937b1e9077a353ee0b9bf2eb648b83a60e34a5e934d8b95c1b7e1202933aea875e6975027
- SSDEEP
  
  3072:MBFDC2a8kkalMLmNTMeN1vT72dPxIhf+5HS5LTbl2NBX9ZdebJR3u:M/inHlN1vTyTIBEHkTbl2zn0bJR
Score

10^/10

gh0strat defense_evasion discovery rat
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Gh0strat family
  gh0strat
- Modifies firewall policy service
  defense_evasion
- Executes dropped EXE
- Drops file in System32 directory
behavioral7
- Target
  
  b76a68b1da993f63c3363dc43739315f.vir
- Size
  
  3.0MB
- MD5
  
  b76a68b1da993f63c3363dc43739315f
- SHA1
  
  270887116fcdad471d5b1fdd825a9551d22f1cb1
- SHA256
  
  41066b7b1cea83c60086ce5758c4ce395e1f7433670791780b875e29a02c4b89
- SHA512
  
  eadf09990081c51fa5be8f4f85ce8b150d21cb847b59a872bc4b6ea12684a41822d3c550ca2ddf7ecd91f20b2553b1349092e39b4aad5e6e59f464d1bde296cb
- SSDEEP
  
  49152:hOZEQTQW+E7Lj+TTbUn/7oxHQKpyGQJ3EGbKpIbamHwTCjFhtbyh3lMk+rhiCpDw:hcEQSE6TTQ7o9QhGmEMKaWmwCjdWh3+A
Score

1^/10
behavioral8
- Target
  
  bb7ad76bef5c5a974ccd0c1b94835830.vir
- Size
  
  260KB
- MD5
  
  bb7ad76bef5c5a974ccd0c1b94835830
- SHA1
  
  0afe421bf897c4f7ada01a9c021938ef09ef8790
- SHA256
  
  098347223227886f16bb1ee42cb1ae51e0ced90e7c3aca1c24f15376711349b9
- SHA512
  
  6144727b2dbf3816c4b5e6fd1da1577f9e79970bc777884c35ed1982cfcb2ae52ea727c9c924627629606d3a83f6ce26d992d4507c50a749a433c4812254f87f
- SSDEEP
  
  6144:VekDDl4fjNw3EOrnBZAtNbWqxwPEO2J3by9fPvZMo+VGkT1py/z:Vek14g3UtNyWwaqnRMo+ckDyr
Score

3^/10
behavioral9
- Target
  
  cdb1365059c0e4973843dc0d0955bfbc.vir
- Size
  
  3.0MB
- MD5
  
  cdb1365059c0e4973843dc0d0955bfbc
- SHA1
  
  eaa991e3a9c57302f31ac5faba09d7f00f65c8b6
- SHA256
  
  1a880b81f53f4c162e7c90d098c185da9cc936988f0ea4fdb278c661d68f9996
- SHA512
  
  17d136b87efde90b50daccb84bd85dd09706af14ee5a2a963655ec2df06aa3173915ccb479010098061dbf079c716197d6a311eff3b0c722daf46c00295af4eb
- SSDEEP
  
  49152:hOZEQTQW+E7Lj+TTbUn/7oxHQKpyGQJ3EGbKpIbamHwTCjFhtbyh3lMk+rhiCpD6:hcEQSE6TTQ7o9QhGmEMKaWmwCjdWh3+K
Score

1^/10
behavioral10

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

Drops file in Drivers directory

Adds Run key to start application

Sets desktop wallpaper using registry

SmokeLoader

Smokeloader family

Suspicious use of SetThreadContext

Modifies visiblity of hidden/system files in Explorer

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Modifies firewall policy service

ACProtect 1.3x - 1.4x DLL software

Loads dropped DLL

Enumerates connected drives

Gh0st RAT payload

Gh0strat

Gh0strat family

Modifies firewall policy service

Executes dropped EXE

Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10