Overview

overview

10

Static

static

1

transferencia....vbe

windows7-x64

10

transferencia....vbe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    transferencia....vbe

  • Size

    88KB

  • Sample

    230206-lfc4xadb58

  • MD5

    5ccd4b2dca88fb315b9486757d193842

  • SHA1

    9f5e0e0daee387499ffdbf5f7c807789b6ada9a6

  • SHA256

    90befaa56e94b48911a593a0b058551655b4f8213c2a9cb61beae82ff7c59afb

  • SHA512

    88ffdcbb05e0922b30483dc1f5645f6fc9d2f9656dea8d8be002f51ce457fcb52fb6f83dd317c397dd71c2b8266d4c03f94bd6464636522975ea50e524cac132

  • SSDEEP

    1536:jAqmpA5OtW4iVhZbjMNTm/Wxfi0PS6dW1hHpiAFi:kqiyW5iVrbOTm+xfi0PS6+hJBi

Score
10/10
agentteslaguloadercollectiondownloaderkeyloggerspywarestealertrojan

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://drive.google.com/uc?export=download&id=1VruPs4G7Z0bAS-FbCVzvudjHc-wXo6vB

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.1and1.es
  • Port:
    587
  • Username:
    eventos@cafedelacruz.es
  • Password:
    EventosCamar2014
  • Email To:
    ernestbrown7711@gmail.com

Targets

    • Target

      transferencia....vbe

    • Size

      88KB

    • MD5

      5ccd4b2dca88fb315b9486757d193842

    • SHA1

      9f5e0e0daee387499ffdbf5f7c807789b6ada9a6

    • SHA256

      90befaa56e94b48911a593a0b058551655b4f8213c2a9cb61beae82ff7c59afb

    • SHA512

      88ffdcbb05e0922b30483dc1f5645f6fc9d2f9656dea8d8be002f51ce457fcb52fb6f83dd317c397dd71c2b8266d4c03f94bd6464636522975ea50e524cac132

    • SSDEEP

      1536:jAqmpA5OtW4iVhZbjMNTm/Wxfi0PS6dW1hHpiAFi:kqiyW5iVrbOTm+xfi0PS6+hJBi

    Score
    10/10
    agentteslaguloadercollectiondownloaderkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Blocklisted process makes network request

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

      collection

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Email Collection

1
T1114

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks