Overview

overview

10

Static

static

1

Updated Ba...ls.vbs

windows7-x64

10

Updated Ba...ls.vbs

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Updated Bank Details.gz

  • Size

    72KB

  • Sample

    230207-mtjpaabb74

  • MD5

    9697563de3bb657ba9a3e596faf06e4f

  • SHA1

    90a71c889c86e16b2a87d1436c0e68dae14f644c

  • SHA256

    ef141f194bd43e6398131e5f2bf37961b597961cf0ebc300e99dabd600c24b46

  • SHA512

    0ff77ec3eb00e47f4e4f76dda3da84adb4809a738561c399acb1fc47b41cec7e6295d2403a758bdcdda9cea835f6141bc8f6ba90d28b4db5d93b5e3cc2781f59

  • SSDEEP

    1536:d7mW2NmSRWgFrOVBN/g8Wv03jIA6CP4DcnYxFFg18Ii/7YbhhFy2FI6ZXJ46B2VC:UWDgFi5g8qA6CPMuYiPiDoNO69Jb2V8h

Score
10/10
agentteslaguloaderdownloaderkeyloggerspywarestealertrojan

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://megookbpnq.cf/herpetici.afm

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.valvulasthermovalve.cl
  • Port:
    21
  • Username:
    cva19491@valvulasthermovalve.cl
  • Password:
    LILKOOLL14!!

Targets

    • Target

      Updated Bank Details.vbs

    • Size

      132KB

    • MD5

      a2b56b456dab2c7ea6e07bdaf0be06f6

    • SHA1

      942931bbaa2568824208c4d3abbb8ab1b9e9579f

    • SHA256

      87a850093290a5a1cb984c05986abaaea4b135370e892c75b369a37273021bcc

    • SHA512

      d853f43575bbd90c5d674f581af2ea021a6355cff8401d729ca01c96950b6a1b76207fd87d0997c07dc15e1295feab995c144099e2ae475875c5029f5b5b4b44

    • SSDEEP

      3072:vTHJmOSfNKUTvt3UXHRTjwaYxgLKyaJLjQQwMBF+8n8YGYiw1Nbr:vTcDf0+axTE9CKrQQwmOYfH

    Score
    10/10
    agentteslaguloaderdownloaderkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Blocklisted process makes network request

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1
T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks