General
-
Target
DC0376654883101.vbs
-
Size
369KB
-
Sample
230206-l43pgadd35
-
MD5
67bf4e78144983c7c843d46a908b9245
-
SHA1
abf1f10e40ece8bc72dba49f89703e0e25e30a3c
-
SHA256
181ca5aadede7f35e9bec07d2b861ecd69ff01d477102c1e473dd30f63114b43
-
SHA512
059c65cd3786efec9350cb0ee8084f50ae97aa5bf5b5d2a2c11ede4d20e1d1ba61eee4a1ee27bc1fbfd3ca8766759386cf292105971e98187b11132676cd7249
-
SSDEEP
6144:Z9wMMDQsW45hO1tmcQqvsZZmem5Oeg/sFtjI0RJFxLcI1+5U5:ZHMqqhw91yZmeqO1/IBI0R7xZ1aU5
Static task
static1
Behavioral task
behavioral1
Sample
DC0376654883101.vbs
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
DC0376654883101.vbs
Resource
win10v2004-20220901-en
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.obikolki.com - Port:
21 - Username:
a1@obikolki.com - Password:
o(%S[UY=&%3X
Targets
-
-
Target
DC0376654883101.vbs
-
Size
369KB
-
MD5
67bf4e78144983c7c843d46a908b9245
-
SHA1
abf1f10e40ece8bc72dba49f89703e0e25e30a3c
-
SHA256
181ca5aadede7f35e9bec07d2b861ecd69ff01d477102c1e473dd30f63114b43
-
SHA512
059c65cd3786efec9350cb0ee8084f50ae97aa5bf5b5d2a2c11ede4d20e1d1ba61eee4a1ee27bc1fbfd3ca8766759386cf292105971e98187b11132676cd7249
-
SSDEEP
6144:Z9wMMDQsW45hO1tmcQqvsZZmem5Oeg/sFtjI0RJFxLcI1+5U5:ZHMqqhw91yZmeqO1/IBI0R7xZ1aU5
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-