General
-
Target
PO1003-20230206.gz
-
Size
72KB
-
Sample
230207-mqnh3abb33
-
MD5
a765ae49e083353cdc180775d8884716
-
SHA1
31e7f4ebf414487fed1e5c020e05498639faedc2
-
SHA256
a5a058e52e29e4fc4216cc690aa1f5fc8590c1ed695daeb7aee7c221cd20c646
-
SHA512
67ecd47f59fd393599a4aca7bee2929e08fd49081a32a09410ea97334c6a3779744d4be01d3feec99492754d972dc9f17682e72025210d687744728af8c4eb62
-
SSDEEP
1536:T7mW2NmSRWgFrOVBN/g8Wv03jIA6CP4DcnYxFFg18Ii/7YbhhFy2FI6ZXJ46B2VC:+WDgFi5g8qA6CPMuYiPiDoNO69Jb2V8h
Static task
static1
Behavioral task
behavioral1
Sample
PO1003-20230206.vbs
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
PO1003-20230206.vbs
Resource
win10v2004-20220812-en
Malware Config
Extracted
https://megookbpnq.cf/herpetici.afm
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.valvulasthermovalve.cl - Port:
21 - Username:
[email protected] - Password:
LILKOOLL14!!
Targets
-
-
Target
PO1003-20230206.vbs
-
Size
132KB
-
MD5
a2b56b456dab2c7ea6e07bdaf0be06f6
-
SHA1
942931bbaa2568824208c4d3abbb8ab1b9e9579f
-
SHA256
87a850093290a5a1cb984c05986abaaea4b135370e892c75b369a37273021bcc
-
SHA512
d853f43575bbd90c5d674f581af2ea021a6355cff8401d729ca01c96950b6a1b76207fd87d0997c07dc15e1295feab995c144099e2ae475875c5029f5b5b4b44
-
SSDEEP
3072:vTHJmOSfNKUTvt3UXHRTjwaYxgLKyaJLjQQwMBF+8n8YGYiw1Nbr:vTcDf0+axTE9CKrQQwmOYfH
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-