Overview

overview

10

Static

static

1

PO1003-20230206.vbs

windows10-1703-x64

10

PO1003-20230206.vbs

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    PO1003-20230206.gz

  • Size

    72KB

  • Sample

    230206-jq9vhsga4z

  • MD5

    a765ae49e083353cdc180775d8884716

  • SHA1

    31e7f4ebf414487fed1e5c020e05498639faedc2

  • SHA256

    a5a058e52e29e4fc4216cc690aa1f5fc8590c1ed695daeb7aee7c221cd20c646

  • SHA512

    67ecd47f59fd393599a4aca7bee2929e08fd49081a32a09410ea97334c6a3779744d4be01d3feec99492754d972dc9f17682e72025210d687744728af8c4eb62

  • SSDEEP

    1536:T7mW2NmSRWgFrOVBN/g8Wv03jIA6CP4DcnYxFFg18Ii/7YbhhFy2FI6ZXJ46B2VC:+WDgFi5g8qA6CPMuYiPiDoNO69Jb2V8h

Score
10/10
agentteslaguloaderdownloaderkeyloggerspywarestealertrojan

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://megookbpnq.cf/herpetici.afm

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.valvulasthermovalve.cl
  • Port:
    21
  • Username:
    cva19491@valvulasthermovalve.cl
  • Password:
    LILKOOLL14!!

Targets

    • Target

      PO1003-20230206.vbs

    • Size

      132KB

    • MD5

      a2b56b456dab2c7ea6e07bdaf0be06f6

    • SHA1

      942931bbaa2568824208c4d3abbb8ab1b9e9579f

    • SHA256

      87a850093290a5a1cb984c05986abaaea4b135370e892c75b369a37273021bcc

    • SHA512

      d853f43575bbd90c5d674f581af2ea021a6355cff8401d729ca01c96950b6a1b76207fd87d0997c07dc15e1295feab995c144099e2ae475875c5029f5b5b4b44

    • SSDEEP

      3072:vTHJmOSfNKUTvt3UXHRTjwaYxgLKyaJLjQQwMBF+8n8YGYiw1Nbr:vTcDf0+axTE9CKrQQwmOYfH

    Score
    10/10
    agentteslaguloaderdownloaderkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Blocklisted process makes network request

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1
T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks