General
-
Target
Updated Bank Details.gz
-
Size
72KB
-
Sample
230207-mtjpaabb74
-
MD5
9697563de3bb657ba9a3e596faf06e4f
-
SHA1
90a71c889c86e16b2a87d1436c0e68dae14f644c
-
SHA256
ef141f194bd43e6398131e5f2bf37961b597961cf0ebc300e99dabd600c24b46
-
SHA512
0ff77ec3eb00e47f4e4f76dda3da84adb4809a738561c399acb1fc47b41cec7e6295d2403a758bdcdda9cea835f6141bc8f6ba90d28b4db5d93b5e3cc2781f59
-
SSDEEP
1536:d7mW2NmSRWgFrOVBN/g8Wv03jIA6CP4DcnYxFFg18Ii/7YbhhFy2FI6ZXJ46B2VC:UWDgFi5g8qA6CPMuYiPiDoNO69Jb2V8h
Static task
static1
Behavioral task
behavioral1
Sample
Updated Bank Details.vbs
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
Updated Bank Details.vbs
Resource
win10v2004-20220812-en
Malware Config
Extracted
https://megookbpnq.cf/herpetici.afm
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.valvulasthermovalve.cl - Port:
21 - Username:
cva19491@valvulasthermovalve.cl - Password:
LILKOOLL14!!
Targets
-
-
Target
Updated Bank Details.vbs
-
Size
132KB
-
MD5
a2b56b456dab2c7ea6e07bdaf0be06f6
-
SHA1
942931bbaa2568824208c4d3abbb8ab1b9e9579f
-
SHA256
87a850093290a5a1cb984c05986abaaea4b135370e892c75b369a37273021bcc
-
SHA512
d853f43575bbd90c5d674f581af2ea021a6355cff8401d729ca01c96950b6a1b76207fd87d0997c07dc15e1295feab995c144099e2ae475875c5029f5b5b4b44
-
SSDEEP
3072:vTHJmOSfNKUTvt3UXHRTjwaYxgLKyaJLjQQwMBF+8n8YGYiw1Nbr:vTcDf0+axTE9CKrQQwmOYfH
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-