agenttesla | d36e8aa297749e5909316230b55c07fa185761d2f58699e6caefdf3a8141168e

Resubmissions

12/03/2025, 14:23

250312-rqc5jsvjz9 10

Sharing

Copy URL

Twitter E-mail

General

Target

infected.7z
Size

80.4MB
Sample

250312-rqc5jsvjz9
MD5

cf25242af21ffb257ec3b670fe3bff9c
SHA1

a96400547e93790a9b16450ae0fff715efd6fc21
SHA256

d36e8aa297749e5909316230b55c07fa185761d2f58699e6caefdf3a8141168e
SHA512

f2ed8221f1bb3140115d3c170495a24cc6adc28b3a87b51f2c0ae583c4b4710fba9217e66d0df859db5c250ea47ba07eae174e146b13bd791b9d65983e4c9567
SSDEEP

1572864:9c2eO+OHpOV3D8iOjaVPBHd4uiehiH1W9e7uKweDrnI3ZW6yFwdAf67u2CZo9h:m2eO+OJE3IYd6VH1W9e7/prnI3ZWDWAk

Malware Config

Extracted

Family

mirai

Botnet

MIRAI

botnet.goelites.cc

Extracted

Family

gafgyt

209.126.73.248:839

45.144.29.99:42516

104.206.252.100:42516

217.61.7.114:72

107.172.137.175:7777

85.204.116.33:717

192.223.29.160:42516

Extracted

Family

mirai

Botnet

MIRAI

botnet.goelites.cc

Extracted

Family

mirai

Botnet

MIRAI

Extracted

Family

xorddos

http://aa.hostasa.org/game.rar

ns3.hostasa.org:3306

ns4.hostasa.org:3306

ns1.hostasa.org:3306

ns2.hostasa.org:3306

ns3.hostasa.org:3310

ns4.hostasa.org:3310

ns1.hostasa.org:3310

ns2.hostasa.org:3310

http://info1.3000uc.com/b/u.php

gh.dsaj2a1.org:2822

www.wangzongfacai.com:2822

174.139.217.145:2822

ns3.hostasa.org:3308

ns4.hostasa.org:3308

ns1.hostasa.org:3308

ns2.hostasa.org:3308

ns3.hostasa.org:3307

ns4.hostasa.org:3307

ns1.hostasa.org:3307

Attributes

crc_polynomial
EDB88320

xor.plain

Extracted

Family

redosdru

http://42.51.154.54:88/NetSyst81.dll

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
webmail.ombakparadise.com
Port:
587
Username:
[email protected]
Password:
ce$%^mirah

Extracted

Family

nanocore

Version

1.2.2.0

192.168.1.1:54984

127.0.0.1:54984

Mutex

4e3184db-fd2f-47b2-8daf-030abc4baf4c

Attributes

activate_away_mode
true
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2021-09-12T00:43:48.877032236Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
54984
default_group
HelloWorld
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
4e3184db-fd2f-47b2-8daf-030abc4baf4c
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
192.168.1.1
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Extracted

Family

pony

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Extracted

Family

mirai

Botnet

MIRAI

Extracted

Family

njrat

Version

0.7d

Botnet

MyBot

8.tcp.ngrok.io:13962

Mutex

aaffeb7a5f54025070b8e182b1fa7d98

Attributes

reg_key
aaffeb7a5f54025070b8e182b1fa7d98
splitter
Y262SUCZ4UJJ

Extracted

Family

cobaltstrike

Botnet

1359593325

http://173.234.155.223:80/boxes.css

Attributes

access_type
512
host
173.234.155.223,/boxes.css
http_header1
AAAAEAAAABtIb3N0OiBzeW1hbnRlY3NlY3VyaXR5dC5jb20AAAAKAAAAEUNvbm5lY3Rpb246IGNsb3NlAAAACgAAABJBY2NlcHQ6IGltYWdlL2pwZWcAAAAHAAAAAAAAAAsAAAADAAAAAgAAADV3b3JkcHJlc3NfbG9nZ2VkX2luXzE4NzBhODI5ZDliYzY5YWJmNTAwZWNhNmYwMDI0MWZlPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAAEAAAABtIb3N0OiBzeW1hbnRlY3NlY3VyaXR5dC5jb20AAAAKAAAAEUNvbm5lY3Rpb246IGNsb3NlAAAACgAAABVBY2NlcHQtRW5jb2Rpbmc6IGd6aXAAAAAKAAAAL0NvbnRlbnQtVHlwZTogYXBwbGljYXRpb24veC13d3ctZm9ybS11cmxlbmNvZGVkAAAABwAAAAEAAAAPAAAAAwAAAAIAAAAHYnJva2VuPQAAAAQAAAAHAAAAAAAAAAMAAAACAAAADl9fc2Vzc2lvbl9faWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
11008
polling_time
61757
port_number
80
sc_process32
%windir%\syswow64\WUAUCLT.exe
sc_process64
%windir%\sysnative\WUAUCLT.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJvC2CQYaIouT41kXKVNrM5lLvclGJRE+i3ves+vC0AADUWTPs64Dn/B4eKlQKPpbC/8IgJjadD/B9pZiY8XUlk4dvaagLdjBCq7uSxS+KhVVsX46LBSBgIxaE4AeoZvwBD2n0wdeeI2sbkMvDhhv5s6Nmz12sAtOVGdr8cX3s5QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
2.708806656e+09
unknown2
AAAABAAAAAIAAAPVAAAAAwAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/ce
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246
watermark
1359593325

Targets

- Target
  
  097910dc615bd581069c0ec67fa513d0.vir
- Size
  
  193KB
- MD5
  
  097910dc615bd581069c0ec67fa513d0
- SHA1
  
  00597735a09afbe12ad29ea00ede40733c67801c
- SHA256
  
  25b2ae77c2dc71ca729c153cce1615b77a396ff4ba598928c788eec57f1777fe
- SHA512
  
  cdf2464377db2fc6c2b2c665ac903e74cfde99a3e6cc6acd7d0d2ad6d417d442b27760b79d14693e3ba27d0a1b8a3d0355f48521d9847ab30c38e8541de92752
- SSDEEP
  
  3072:/8QYOkCol9wKhIDDVX1oWPBy4UAhZErjmZPwmlrNChgC:/8QtAwKhK1oWPf6mx56
Score

10^/10

smokeloader backdoor discovery trojan
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Smokeloader family
  smokeloader
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  19771cc7d4a738eb3e879d7a537dc260.vir
- Size
  
  159KB
- MD5
  
  19771cc7d4a738eb3e879d7a537dc260
- SHA1
  
  eb8b05f48826a090c3f84d468d3986a121bc0cd5
- SHA256
  
  cac09c5751194795eb27b2daf641bee4afbcb1638095d7055e89c9c505af038f
- SHA512
  
  688c47b760c6ba14ede8c1e5bb708e5ade001b0e866c6a87139a452fe9cca0d0bd88967ad4ed80f0129d30e7c7fdb9d839c5e0f051a28bceaec9c776f26df549
- SSDEEP
  
  3072:fydfi5NYbjCOqGRhEkH8f4n3fIfkBo6Yn3EWejU:fyhi5N+OOLRikH8fEgsLYUO
Score

10^/10

globeimposter discovery persistence ransomware
- GlobeImposter
  GlobeImposter is a ransomware first seen in 2017.
  ransomware globeimposter
- Globeimposter family
  globeimposter
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
behavioral3 behavioral4
- Target
  
  29c5c99473748778ee6bdd60dc8ef6d7.vir
- Size
  
  142KB
- MD5
  
  29c5c99473748778ee6bdd60dc8ef6d7
- SHA1
  
  a56c5bd13d60a680ec14718d098d8c362d2c4f73
- SHA256
  
  5480bfb72a710126e2c493a95d85db8c4889d4173647432877dbff09e32e5691
- SHA512
  
  7e2275641bac61d17efda73844d4df4165ee2569b1e13c22f5dbb801c02072f222959582c66df08668ef6dc666c3a661b96737794f03f4c5dbe9f47a538d993f
- SSDEEP
  
  3072:0EDfcOlkmQCnoV1+qXuls8KS+RhUtpt5hLnHZvbg5XQZDeoCODQUDMj4AFx8:XsG+wft5hLHZvsFoCODQUDMj4AFx8
Score

1^/10
behavioral5
- Target
  
  29d9976d73aabf191eafe0f8b045cc85.vir
- Size
  
  840KB
- MD5
  
  29d9976d73aabf191eafe0f8b045cc85
- SHA1
  
  8332c39e496873afdc4fd89210e293204b085a63
- SHA256
  
  dcf103b03ea1c41a8b40f788b2920177f0d39f27af47452b6a1b2c9fc345dd6a
- SHA512
  
  3ff3b6bb06a8c0bfd2793460e197ab45559f6176998006d711ada313bc27a16f16ee873692640b6283b77cd6ae75a8f72479780705fbe5a02a03f5a275f40002
- SSDEEP
  
  12288:5ShxZ0EG3KQyTs4XlhyI/vbU/BKWmmyg5dBPt/z4ER63k7gm:5SWBKlSBPtstk0
Score

3^/10

discovery
behavioral6 behavioral7

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

SmokeLoader

Smokeloader family

Suspicious use of SetThreadContext

GlobeImposter

Globeimposter family

Adds Run key to start application

Drops desktop.ini file(s)

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7