General
-
Target
reciept_ 0014010303102_JPG.vbs
-
Size
411KB
-
Sample
230202-tt2nesbh2z
-
MD5
d26b9137f31c1c7296ea710bd71b3a59
-
SHA1
b37fcfde9230d8854a8bedb13203beffeb71df21
-
SHA256
33146615b36e5718c7e8e69269f3c5cdf3ec72b525e24550da62b360f1360d30
-
SHA512
ae88914f39a5b695003d77fe1d1bc06b3302f3956ed597125ab0f81f998b35019ec49320de833ed4201cccb98651a3e97ed142d38a84d3a4ebb1706bd8ab9ad6
-
SSDEEP
6144:JCj1ltFlJ1KxZheePFmYAcM2qQLIcK6wa31LBygR9T8nMs85HaUb4bWPJxxRBtps:Uj7tHP+3zzqVcK6egj4MJ5HaUbhv3ps
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.mcmprint.net - Port:
21 - Username:
klogz@mcmprint.net - Password:
l9Hh{#_(0shZ
Targets
-
-
Target
reciept_ 0014010303102_JPG.vbs
-
Size
411KB
-
MD5
d26b9137f31c1c7296ea710bd71b3a59
-
SHA1
b37fcfde9230d8854a8bedb13203beffeb71df21
-
SHA256
33146615b36e5718c7e8e69269f3c5cdf3ec72b525e24550da62b360f1360d30
-
SHA512
ae88914f39a5b695003d77fe1d1bc06b3302f3956ed597125ab0f81f998b35019ec49320de833ed4201cccb98651a3e97ed142d38a84d3a4ebb1706bd8ab9ad6
-
SSDEEP
6144:JCj1ltFlJ1KxZheePFmYAcM2qQLIcK6wa31LBygR9T8nMs85HaUb4bWPJxxRBtps:Uj7tHP+3zzqVcK6egj4MJ5HaUbhv3ps
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation