decrypting-obfuscated-net-malware-part-2


信息窃取者agenttesla

1.收集用户系统数据

1
时间、用户、CPU、内存、计算机名称、OSFullName

2.从这些l浏览器列表中中窃取凭据

1
Opera, Comodo, Google Chrome, CocCoc, Chedot, Elements Browser, Liebao, QIP Surf, Orbitum, Sputnik, CentBrowser, Amigo, SRWare Iron, Torch, Brave, Iridium, CoolNovo, 7Star, Epic Privacy Browser, 360 Chrome, Yandex, QQBrowser , UCBrowser, Kometa, Sleipnir 6, Citrio, Coowon, uCozMedia, Vivaldi, Cyber​​Fox, IceCat, PaleMoon, Falkon Browser, Flock Browser, WaterFox, BlackHawk

3.FTP应用列表窃取凭据

1
CoreFTP、SmartFTP、WS_FTP、FileZilla、cftp、FTPCommander、FTPGetter、WinScp 2、FlashFXP、FTP Navigator

4.邮箱信息窃取

1
IncrediMail, Eudora, Postbox, ClawsMail, ThunderBird, TheBat, Outlook, OperaMail, Pocomail, Foxmail, Psi+

5.聊天和消息应用程序

1
Paltalk Pidgin,Trillian

Paltalk Pidgin

Trillian

6.DNS 和 VPN 服务

1
DynDNS、Vitalwerks、OpenVPN-GUI、OpenVPN

7.下载器

8.攻击者其他信息

该恶意软件使用 SMTP/FTP/WebPanel 来窃取被盗数据。

8.1攻击者 SMTP 凭据

8.2 可疑网页面板

enter description here

8.3可疑的FTP 连接

9.捕获屏幕截图和键盘记录

10.持久化

1
2
3
Software\\Microsoft\\Windows\\CurrentVersion\\Run\\WNRUXJ
Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run\\WNRUXJ
%TEMP%\\tmpG[0–9]{3}

IOC如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
lbIDo.exe 初始

md5 B163247FED5C1014F69E72C230235A22
sha1 4F0F616DCEAA489E0CE112B02603DBC5D9540C07
sha256 BEC429A1F10445FA8ABA7DC9A4103BBAE69D5470C514221A0A87E6B9262CCC6A

https://www.virustotal.com/gui/file/bec429a1f10445fa8aba7dc9a4103bbae69d5470c514221a0a87e6b9262ccc6a/details


AndroidStudio.dll stager 1

MD5 89cae80db18a87076fb59c2deff65b66
SHA-1 8ba977317f5c661f81f5317f32ba50d3e8a129ba
SHA-256 4f717aaa0558a7bad3c9eb8d68d7e52a262670898586b4daaf1c0871ef1e1533

https://www.virustotal.com/gui/file/4f717aaa0558a7bad3c9eb8d68d7e52a262670898586b4daaf1c0871ef1e1533/details

Lazarus.exe stager 2

MD5 0e4f9e496a1315780640d181cc3b9833
SHA-1 32b1ba9d9b557abf88d09ebda9fc2e4073775792
SHA-256 5bb43d179f782e2e0df0a45c89876693e9c71ba5b69770305c9264bbb566c379

https://www.virustotal.com/gui/file/5bb43d179f782e2e0df0a45c89876693e9c71ba5b69770305c9264bbb566c379/details

NRMOeaUVVkwIAtJShsOH.exe 解密的字符串stager 3

md5 4EF4497EC0AE0C98135E667E2A119DF4
sha1 8665A6D4C44939B03E5E384B15B635A2914BE954
sha256 D26EB5E5EACB571F650A7991A4746FB4B785C8C625D36E8F0019A90B48855ACD

DNS请求
域名 smtp.yandex.com

参考链接:https://ghoulsec.medium.com/mal-series-9-c-agenttesla-infostealer-430d8cac505e
https://www.youtube.com/watch?v=8L4hh5CG4nQ&t=364s