General
-
Target
RFQ No. 109050.vbe
-
Size
599KB
-
Sample
221206-htan6agg6t
-
MD5
f11778cbde51d99c01d187b8a606b6c2
-
SHA1
2ac169a3b9237a3dd5525a95b1712b690329757e
-
SHA256
9ad8dc0946dc335ebe8487c8dcd9d352a24fd2ca8655bad38f476d57d5232f86
-
SHA512
80b47960a21f0be15fe496adaedbaa47deae992848cd8dc25199d55d519346cffc5cf07b8fabf45ef154048bbe0eb57144f3802cef64191e59de7718f529f3dd
-
SSDEEP
6144:RlBnkjE4CJiP4RdKkDSlVciFCGGnzQhbIkY+PGZjjb3WabtHnatinzzVMce0NVnT:RvnkjCIPi/DSl6KWkYjiywg3VMM88oEb
Static task
static1
Behavioral task
behavioral1
Sample
RFQ No. 109050.vbe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
RFQ No. 109050.vbe
Resource
win10v2004-20220812-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.cropscapital.com - Port:
587 - Username:
[email protected] - Password:
Ofert@lia1994 - Email To:
[email protected]
Targets
-
-
Target
RFQ No. 109050.vbe
-
Size
599KB
-
MD5
f11778cbde51d99c01d187b8a606b6c2
-
SHA1
2ac169a3b9237a3dd5525a95b1712b690329757e
-
SHA256
9ad8dc0946dc335ebe8487c8dcd9d352a24fd2ca8655bad38f476d57d5232f86
-
SHA512
80b47960a21f0be15fe496adaedbaa47deae992848cd8dc25199d55d519346cffc5cf07b8fabf45ef154048bbe0eb57144f3802cef64191e59de7718f529f3dd
-
SSDEEP
6144:RlBnkjE4CJiP4RdKkDSlVciFCGGnzQhbIkY+PGZjjb3WabtHnatinzzVMce0NVnT:RvnkjCIPi/DSl6KWkYjiywg3VMM88oEb
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-