General
-
Target
justificante de transferencia.vbe
-
Size
86KB
-
Sample
230207-vppzhaga7w
-
MD5
15bd082a1239672f89da95a8e64c222c
-
SHA1
03e403be543416771fbf7aafeed8023257619bdc
-
SHA256
773560e65eee3974ead74c4f73859a9f094794610469e71566cbed3d04015e2c
-
SHA512
ad32109ab0c77cbbe0b29d05153463a8b4b408176019be58d428a9d4bb4920a1e3ea097f66e46b7aaff65fee79fac4044e748e025adb3913032faafeeb2a4014
-
SSDEEP
1536:MApmpA5OR/mZrFWHVzt6XZT6/Wxfi0PS6aW12HpsA4i:7piy+/cgHF4JT6+xfi0PS6H2JCi
Static task
static1
Behavioral task
behavioral1
Sample
justificante de transferencia.vbe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
justificante de transferencia.vbe
Resource
win10v2004-20220812-en
Malware Config
Extracted
https://drive.google.com/uc?export=download&id=10wUX24m2KoXCtZbcElr2d3t8TYB8y6dQ
Extracted
agenttesla
Protocol: smtp- Host:
mail.heladospalacio.com - Port:
587 - Username:
[email protected] - Password:
Drs4x0!6 - Email To:
[email protected]
Targets
-
-
Target
justificante de transferencia.vbe
-
Size
86KB
-
MD5
15bd082a1239672f89da95a8e64c222c
-
SHA1
03e403be543416771fbf7aafeed8023257619bdc
-
SHA256
773560e65eee3974ead74c4f73859a9f094794610469e71566cbed3d04015e2c
-
SHA512
ad32109ab0c77cbbe0b29d05153463a8b4b408176019be58d428a9d4bb4920a1e3ea097f66e46b7aaff65fee79fac4044e748e025adb3913032faafeeb2a4014
-
SSDEEP
1536:MApmpA5OR/mZrFWHVzt6XZT6/Wxfi0PS6aW12HpsA4i:7piy+/cgHF4JT6+xfi0PS6H2JCi
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-