2021-08-09 Aggah IOCs

1. THREAT IDENTIFICATION: AGGAH / AVEMARIA RAT / WARZONE STEALER
2.  
3. SUBJECTS OBSERVED
4. FW: Re: Invoice for July 2021 and Stateement od Account.pdf
5.  
6. SENDERS OBSERVED
7. [email protected]
8.  
9. MALDOC FILE HASHES
10. 14 Invoice & Statement of Account for JULY 2021,pdf.ppam.zip
11. 60fe5c88b6442a4e6b536ab4ba358895
12.  
13. Which contains:
14. 14 Invoice & Statement of Account for JULY 2021,pdf.ppam
15. c53ca10d6aa2f4dd9d7cba4ca14bec24
16.  
17. AGGAH PAYLOAD DOWNLOAD URLS
18. http://bitly.com/ddwddgwfwowklwooooi
19.  
20. which points to:
21. https://fckusecurityresearchermotherfkrs.blogspot.com/p/15_17.html
22.  
23. FOLLOW UP PAYLOAD URLS
24. https://35d42729-3b2d-44cd-88c7-59a76492301c.usrfiles.com/ugd/35d427_aba34aefaf6944578eaddcbf518b0d51.txt
25. https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_31d30f382d85478e8fe7e5f1d2052054.txt
26. http://1230948%[email protected]/p/15.html
27.  
28. PAYLOAD FILE HASHES EXTRACTED FROM TEXT FILES
29. 1stPayload.exe
30. 6a7ae0e207f646c9e5b876196cf736e4
31.  
32. 2ndPayload.exe
33. 49e8b5130c4421276e268198d714778b
34.  
35. AVE MARIA/WARZONE C2
36. emalifegogo.duckdns.org
37.  
38. STRINGS FOUND IN MEMORY OF THE ASPNET_COMPILER.EXE PROCESS
39. Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
40. C:\Users\Vitali Kremez\Documents\MidgetPorn\workspace\MsgBox.exe
41.  
42. SUPPORTING EVIDENCE
43. https://www.virustotal.com/gui/file/6c132e1219d1a4210edeb5dd367568f16f08ddf1ca794a32bf067c22b3e9a113/detection
44. https://www.virustotal.com/gui/file/17c8a8ef913ea0a4dbb41e6e55e35c28afade971935457caa44b362b9eec8eb9/detection