General
-
Target
EMIR....vbs
-
Size
86KB
-
Sample
230207-v6kq4sch89
-
MD5
ad30e5a6a05c24a1a258ccad8f18d8a9
-
SHA1
12cd13a6e5dad30bdf7bf47c95eeecba5125e05e
-
SHA256
edb31e91fc23362b0b07322e706002485d1d85fcdc7ac4f943b437733989f662
-
SHA512
c142dda27f7088ef1ab2d8b635f1a304e4e4f1bac02a2421cf5cc18de9dddb2fa877ac2cdd67fed71f0d0f70f5efcc7031b5ef2db3162277678a5a524371c4e5
-
SSDEEP
1536:IAlmpA5OJSMrPPmPAosoZYydS79ATi/Wxfi0PS6HW1bHpoAPi:fliy23rPPCsoZYydq+Ti+xfi0PS6cbJU
Static task
static1
Behavioral task
behavioral1
Sample
EMIR....vbs
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
EMIR....vbs
Resource
win10v2004-20221111-en
Malware Config
Extracted
https://drive.google.com/uc?export=download&id=1I7BjREVCPEdIeSEXuC9L5uCvqhiwCnnO
Extracted
agenttesla
Protocol: smtp- Host:
smtp.1and1.es - Port:
587 - Username:
[email protected] - Password:
[email protected]. - Email To:
[email protected]
Targets
-
-
Target
EMIR....vbs
-
Size
86KB
-
MD5
ad30e5a6a05c24a1a258ccad8f18d8a9
-
SHA1
12cd13a6e5dad30bdf7bf47c95eeecba5125e05e
-
SHA256
edb31e91fc23362b0b07322e706002485d1d85fcdc7ac4f943b437733989f662
-
SHA512
c142dda27f7088ef1ab2d8b635f1a304e4e4f1bac02a2421cf5cc18de9dddb2fa877ac2cdd67fed71f0d0f70f5efcc7031b5ef2db3162277678a5a524371c4e5
-
SSDEEP
1536:IAlmpA5OJSMrPPmPAosoZYydS79ATi/Wxfi0PS6HW1bHpoAPi:fliy23rPPCsoZYydq+Ti+xfi0PS6cbJU
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-