Overview

overview

10

Static

static

Richiesta urgente.vbs

windows7-x64

10

Richiesta urgente.vbs

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Richiesta urgente.gz

  • Size

    192KB

  • Sample

    221128-mghw8afd94

  • MD5

    2930c7fde6f66ee6f538637dd3623749

  • SHA1

    761d857b60f9ed393a8ff60b2c019ba0a33e1f0c

  • SHA256

    11fcce94c7834e10cabc717db1e141354d4f79cd802c37dc4a8cddcf43bec41b

  • SHA512

    f77c36dcd0b78ba4879dfaecde6cb28a2c82e65c28f165e3f7b27588d8d268c9a258154c0fe0484ce38e616f410e6f4bd403145c12d3011af6095ce311553b8b

  • SSDEEP

    6144:WcuJ3jEF1cH1FHXXdXwOzA6j/IfqGPzl5qSREgSYYfHv:W7+1cHDXtVzAFqGzgH

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.mcmprint.net
  • Port:
    21
  • Username:
    noffice@mcmprint.net
  • Password:
    2K-0}h.[5hb)

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.mcmprint.net
  • Port:
    21
  • Username:
    noffice@mcmprint.net
  • Password:
    2K-0}h.[5hb)

Targets

    • Target

      Richiesta urgente.vbs

    • Size

      347KB

    • MD5

      de0edf01710a38b1e96688ae2f712ebb

    • SHA1

      6791a70cf79c415ba109e86734bcfd1b4930ec31

    • SHA256

      20796159ce1191fe88603ee4be1855bca614bcb29161d149a6990b48589d88c5

    • SHA512

      8456bd4c7106a8231f07407fa692520436a9be635fe6245e20d0d61efe11bd2664f758dc7a2f30eb7fd0839e90b854972d5c6d31d6b7e800d78bbf5bb4d970b9

    • SSDEEP

      6144:JmYNxYtoG4TDkYeZrZZL1HQTazh6VQIGoeJTaBrSlWYNemg/j4XO9Zob4HZIKK:8JaVerZzwTi4VyoKKrSlZN4/7F6KK

    Score
    10/10
    agentteslakeyloggerspywarestealertrojancollection

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks