General
-
Target
PO-13466.vbs
-
Size
301KB
-
Sample
221003-qey27sgfg8
-
MD5
fdbb7a2f10e7b3524be85d7df23adf36
-
SHA1
beedcc00dbe3996f8fda1a4b0cf2ad964379ec4b
-
SHA256
ff0a2993c328ba693c3260d892de63ab14592d2176aa999378f8b10d7b23d9c4
-
SHA512
cf074fa512609f1e6eaf09a847f5aab74809434f1343366d4d64fb2ed1adf6a8b15a04b71859622dbb0e4de886adf076731362c4e1a2e16d0ce58d32c3e38088
-
SSDEEP
6144:FezWeMXf6DijQM2P3jsRkAlJuwZ1IHs+PeDaQkASCz5bu8W:EzvGfyzP3jkPlJuwny6zW
Static task
static1
Behavioral task
behavioral1
Sample
PO-13466.vbs
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
PO-13466.vbs
Resource
win10v2004-20220901-en
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot2130601984:AAFbq9oRuTM0trTEQbxU_lfoBZ4A2S2DeD8/
Targets
-
-
Target
PO-13466.vbs
-
Size
301KB
-
MD5
fdbb7a2f10e7b3524be85d7df23adf36
-
SHA1
beedcc00dbe3996f8fda1a4b0cf2ad964379ec4b
-
SHA256
ff0a2993c328ba693c3260d892de63ab14592d2176aa999378f8b10d7b23d9c4
-
SHA512
cf074fa512609f1e6eaf09a847f5aab74809434f1343366d4d64fb2ed1adf6a8b15a04b71859622dbb0e4de886adf076731362c4e1a2e16d0ce58d32c3e38088
-
SSDEEP
6144:FezWeMXf6DijQM2P3jsRkAlJuwZ1IHs+PeDaQkASCz5bu8W:EzvGfyzP3jkPlJuwny6zW
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-