General
-
Target
Bank Detail.vbs
-
Size
133KB
-
Sample
230206-qhah1sea37
-
MD5
e3f36e6188ed8fab3958b0ec4db8c252
-
SHA1
ddf1653f407849c441d2fe0c752dc838789fa93b
-
SHA256
e5e5e0dd3fbadb5e8c7632d515ad30182d68e9290f5b037c52d07b91cb2808aa
-
SHA512
c181926061be5cd09076971ed7c6076ec42e9a8f009c356b13e649f1ce345e590fb3550e16f284cc62fa7fc52ba6d1daa41d9b7c84cb18972dd8aebcaea68b5d
-
SSDEEP
3072:vaRJmOAfd8KUTvt3lZXHRTjsa096GbtkcHzDjQQwMBF+8n8gGYiw1NOr:vaSBfdR+j1xTQHZbtkcHzvQQwm2YfW
Static task
static1
Behavioral task
behavioral1
Sample
Bank Detail.vbs
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
Bank Detail.vbs
Resource
win10v2004-20220901-en
Malware Config
Extracted
http://megookbpnq.cf/Stille.sea
Extracted
agenttesla
https://api.telegram.org/bot5350270151:AAHiqzi7CQnEGEk3Xi-PyJX8ov0x6B-8S1I/
Targets
-
-
Target
Bank Detail.vbs
-
Size
133KB
-
MD5
e3f36e6188ed8fab3958b0ec4db8c252
-
SHA1
ddf1653f407849c441d2fe0c752dc838789fa93b
-
SHA256
e5e5e0dd3fbadb5e8c7632d515ad30182d68e9290f5b037c52d07b91cb2808aa
-
SHA512
c181926061be5cd09076971ed7c6076ec42e9a8f009c356b13e649f1ce345e590fb3550e16f284cc62fa7fc52ba6d1daa41d9b7c84cb18972dd8aebcaea68b5d
-
SSDEEP
3072:vaRJmOAfd8KUTvt3lZXHRTjsa096GbtkcHzDjQQwMBF+8n8gGYiw1NOr:vaSBfdR+j1xTQHZbtkcHzvQQwm2YfW
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-