General
-
Target
eb3736303989c50cc32eef01676ad77603e0fc8ce2b15f6115de4d4ac526486d
-
Size
72KB
-
Sample
230206-dz8e6afc8x
-
MD5
e9d3edfc2d537d9a833ede05e31b9dca
-
SHA1
0e16ffe93f94b0e8fb6cf7ec0226a389b38b21e3
-
SHA256
eb3736303989c50cc32eef01676ad77603e0fc8ce2b15f6115de4d4ac526486d
-
SHA512
f741d0ba00907791198022e96fcea04f93a711481128631a1f9078423fd706f17d7c50d4a46e93b4605f3a19d6a8c9fd1c8e9c4687949f8d7e5fe4d28eac3095
-
SSDEEP
1536:CHzq0DVY6OFQVIwkRmPuVubhxvjvjL8Zm870AF00bWxCvS6h:OmoYjQVf2VqfXAM8gA20C0
Static task
static1
Behavioral task
behavioral1
Sample
Bank Detail.vbs
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
Bank Detail.vbs
Resource
win10v2004-20220812-en
Malware Config
Extracted
http://megookbpnq.cf/Stille.sea
Extracted
agenttesla
https://api.telegram.org/bot5350270151:AAHiqzi7CQnEGEk3Xi-PyJX8ov0x6B-8S1I/
Targets
-
-
Target
Bank Detail.vbs
-
Size
133KB
-
MD5
e3f36e6188ed8fab3958b0ec4db8c252
-
SHA1
ddf1653f407849c441d2fe0c752dc838789fa93b
-
SHA256
e5e5e0dd3fbadb5e8c7632d515ad30182d68e9290f5b037c52d07b91cb2808aa
-
SHA512
c181926061be5cd09076971ed7c6076ec42e9a8f009c356b13e649f1ce345e590fb3550e16f284cc62fa7fc52ba6d1daa41d9b7c84cb18972dd8aebcaea68b5d
-
SSDEEP
3072:vaRJmOAfd8KUTvt3lZXHRTjsa096GbtkcHzDjQQwMBF+8n8gGYiw1NOr:vaSBfdR+j1xTQHZbtkcHzvQQwm2YfW
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-