General
-
Target
vbc.exe
-
Size
193KB
-
Sample
220121-w7w17safe9
-
MD5
b2b0d367777c10ea84ddd200e494fafb
-
SHA1
1c263867f142e10910d6c25274ba2b45115becee
-
SHA256
45e4a0928b9a955dd791cee03ff5157f2eb31d465ba24deb1d40f102f54a3e4a
-
SHA512
e4cabfefa77a9ff1686fd717c8b045d24e6167ea421e3e2a4ec5977491592711e9defc9d5ca4925f32c8449bd9428eb6684957a7eee28227e4d3431674b81ad1
Static task
static1
Behavioral task
behavioral1
Sample
vbc.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
vbc.exe
Resource
win10-en-20211208
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot5013020608:AAFu_btAZRcQ9V-SvEIxL9rCbb_x1A-9IJo/sendDocument
Extracted
lokibot
http://tootoo.ga/webxpo/gate.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
vbc.exe
-
Size
193KB
-
MD5
b2b0d367777c10ea84ddd200e494fafb
-
SHA1
1c263867f142e10910d6c25274ba2b45115becee
-
SHA256
45e4a0928b9a955dd791cee03ff5157f2eb31d465ba24deb1d40f102f54a3e4a
-
SHA512
e4cabfefa77a9ff1686fd717c8b045d24e6167ea421e3e2a4ec5977491592711e9defc9d5ca4925f32c8449bd9428eb6684957a7eee28227e4d3431674b81ad1
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-