General
-
Target
DHL_1x20'Doc-0736449574-Shipment#0106245448.vbs
-
Size
391KB
-
Sample
230206-p5t1hahc3v
-
MD5
ab4da71633484cec2ed916e018b3c67f
-
SHA1
db83ce1e5bac5eed7542015072793a9fcf78d27f
-
SHA256
c4314bf636042a13a454dea884fad2eb1d104c472eb7a082b23c86a493ccd0d1
-
SHA512
80f1af214dfcd09cbd6996d0462863434f4fca97df6e22258d4b0ef8f983d3283e72c3fe989adfe4e7d0277dec7ba9d1dafad8a61603b5eaedf357b8637a8538
-
SSDEEP
12288:CFIsbC8WjtcpBzshxRYBVRC2cKjrRYASwNB/p:ChKIBohrYbNKwTp
Static task
static1
Behavioral task
behavioral1
Sample
DHL_1x20'Doc-0736449574-Shipment#0106245448.vbs
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
DHL_1x20'Doc-0736449574-Shipment#0106245448.vbs
Resource
win10v2004-20220812-en
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.gammawallish.monster - Port:
21 - Username:
[email protected] - Password:
E-#2;}6e&{[T
Targets
-
-
Target
DHL_1x20'Doc-0736449574-Shipment#0106245448.vbs
-
Size
391KB
-
MD5
ab4da71633484cec2ed916e018b3c67f
-
SHA1
db83ce1e5bac5eed7542015072793a9fcf78d27f
-
SHA256
c4314bf636042a13a454dea884fad2eb1d104c472eb7a082b23c86a493ccd0d1
-
SHA512
80f1af214dfcd09cbd6996d0462863434f4fca97df6e22258d4b0ef8f983d3283e72c3fe989adfe4e7d0277dec7ba9d1dafad8a61603b5eaedf357b8637a8538
-
SSDEEP
12288:CFIsbC8WjtcpBzshxRYBVRC2cKjrRYASwNB/p:ChKIBohrYbNKwTp
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-