General
-
Target
Fedteradsens.vbs
-
Size
320KB
-
Sample
221222-qjxpyaee53
-
MD5
9e28bb88afaaf6f6c8e23d3b5f3b3721
-
SHA1
8e76a37f314eee4fb2c8eb82c32de2e81d1851dd
-
SHA256
067775099e8349a39928c3513c29a8f1910da84c60b11d33e83e7484ea9ba2da
-
SHA512
6b2cf5f6fbf57c6f163b1a563e8f568ba8a55970bb64ca7f4db0d37a4b20fa8d6149d2ba3303bdf39f04c53b54fa3c9185b188a4e8bce71ba713f7aec46f2134
-
SSDEEP
6144:7zElTw6iCG/7yf4ExFv3nWDVl97jPE4/x6337hDNkQm5/dUDJa6:uaCG/7jE/v3nuz7jnozk0U6
Static task
static1
Behavioral task
behavioral1
Sample
Fedteradsens.vbs
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Fedteradsens.vbs
Resource
win10v2004-20221111-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.mpmhino.com - Port:
587 - Username:
[email protected] - Password:
mpmpabelan123 - Email To:
[email protected]
Targets
-
-
Target
Fedteradsens.vbs
-
Size
320KB
-
MD5
9e28bb88afaaf6f6c8e23d3b5f3b3721
-
SHA1
8e76a37f314eee4fb2c8eb82c32de2e81d1851dd
-
SHA256
067775099e8349a39928c3513c29a8f1910da84c60b11d33e83e7484ea9ba2da
-
SHA512
6b2cf5f6fbf57c6f163b1a563e8f568ba8a55970bb64ca7f4db0d37a4b20fa8d6149d2ba3303bdf39f04c53b54fa3c9185b188a4e8bce71ba713f7aec46f2134
-
SSDEEP
6144:7zElTw6iCG/7yf4ExFv3nWDVl97jPE4/x6337hDNkQm5/dUDJa6:uaCG/7jE/v3nuz7jnozk0U6
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-