General
-
Target
file.vbs
-
Size
258KB
-
Sample
230207-mp6y1sbb28
-
MD5
d0ba52dbfbe7f83f06f7f769b86262d1
-
SHA1
6f6c3df470839614b343c6b91faef774cbec38b5
-
SHA256
f8aaafdae6892d626e0eda0eed6717c1306e3124f32c6827710e57d642b6d851
-
SHA512
b26d5599c5f342c6f716fa5c1d7152dead37bde08da1ec238d41bf64e12af08de5867be311a41fcda56b86bd055fb11b154d1cd7c37b544779c6f1f5fef6c6c3
-
SSDEEP
6144:qVfJ51wSP1jYwqeuf5VXTvwRd1umPoDhYFcD5f5PmIY:qVq+BYwwfXrwFoDeF+Y
Static task
static1
Behavioral task
behavioral1
Sample
file.vbs
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
file.vbs
Resource
win10v2004-20221111-en
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.gammawallish.monster - Port:
21 - Username:
bonn@gammawallish.monster - Password:
u?x5-Iko5uqq
Targets
-
-
Target
file.vbs
-
Size
258KB
-
MD5
d0ba52dbfbe7f83f06f7f769b86262d1
-
SHA1
6f6c3df470839614b343c6b91faef774cbec38b5
-
SHA256
f8aaafdae6892d626e0eda0eed6717c1306e3124f32c6827710e57d642b6d851
-
SHA512
b26d5599c5f342c6f716fa5c1d7152dead37bde08da1ec238d41bf64e12af08de5867be311a41fcda56b86bd055fb11b154d1cd7c37b544779c6f1f5fef6c6c3
-
SSDEEP
6144:qVfJ51wSP1jYwqeuf5VXTvwRd1umPoDhYFcD5f5PmIY:qVq+BYwwfXrwFoDeF+Y
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-