General
-
Target
MY03352Q1171700MYKUL.vbs
-
Size
309KB
-
Sample
221225-natktabd73
-
MD5
11a5f3f7ad7592dc17d89d1b59600fa8
-
SHA1
2000b5828e0e9b100d297df5ef4673ea02578dcd
-
SHA256
7d4c2032e6d7079d67fc996c9039282a63112bdb95ac675d3d96c6ae9bec3daa
-
SHA512
a9ffabe48cc16c3801afcf6b8aae96c3c0ea140933a37cb015a7305ffd27bc78d540dc86d596ca9516fa00e664628cf0348dc5e264fd55aa1bb4791afc6a400f
-
SSDEEP
6144:PQDNmkBwc8OdK9XoCwguzSCBJnuZ79qfC7gxNZ7kRnbv6j96fL3Wc/div5i9K3mY:PQhzBwc8OdK9XonguzSCBJuZ79qfC7gz
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.masonadventures.com - Port:
587 - Username:
[email protected] - Password:
PUh/f9ES(7,av{ZL;F - Email To:
[email protected]
Targets
-
-
Target
MY03352Q1171700MYKUL.vbs
-
Size
309KB
-
MD5
11a5f3f7ad7592dc17d89d1b59600fa8
-
SHA1
2000b5828e0e9b100d297df5ef4673ea02578dcd
-
SHA256
7d4c2032e6d7079d67fc996c9039282a63112bdb95ac675d3d96c6ae9bec3daa
-
SHA512
a9ffabe48cc16c3801afcf6b8aae96c3c0ea140933a37cb015a7305ffd27bc78d540dc86d596ca9516fa00e664628cf0348dc5e264fd55aa1bb4791afc6a400f
-
SSDEEP
6144:PQDNmkBwc8OdK9XoCwguzSCBJnuZ79qfC7gxNZ7kRnbv6j96fL3Wc/div5i9K3mY:PQhzBwc8OdK9XonguzSCBJuZ79qfC7gz
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-