General
-
Target
FESCO - Updated SOA 2301303084.gz
-
Size
276KB
-
Sample
230208-mr7nbshh3t
-
MD5
b80f48e72fd0b695cc10c9eb3e5b24f9
-
SHA1
029f6588f906675e112d6749cf561eb5ba4787bc
-
SHA256
424cb7300a7e85cf954f69a595b51bc97e1136cea43a20998e2d79ce3a85dcaf
-
SHA512
58434e2bd71bec666788c890383880178965ceaf357df8f029ad93b8d7d425d1e5967e1d3088e786d50159d8dab806a09f572143736a8db9a945529193d8ce24
-
SSDEEP
6144:OaFMupznGEJllmQFcbP+vdU92v2uyKuewJ/Q47x1Qj14Z7jfuaF8:2utndxmaci02vGt1Q4DQj14Z+1
Static task
static1
Behavioral task
behavioral1
Sample
FESCO - Updated SOA 2301303084.vbs
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
FESCO - Updated SOA 2301303084.vbs
Resource
win10v2004-20220812-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
Smtp.ionos.co.uk - Port:
587 - Username:
[email protected] - Password:
PJaccident@2020 - Email To:
[email protected]
Targets
-
-
Target
FESCO - Updated SOA 2301303084.vbs
-
Size
414KB
-
MD5
a8c7f9007a7bf03c02295d13a2fba1aa
-
SHA1
6f0d1e8217091e9df4b9c1a65024dfb9a641d1b2
-
SHA256
0dcabaa6cc8989400ef065854a8167a969b7cdaa5e766ecc706a8e55f10ab03e
-
SHA512
ad3a0baa23def4a73a67f1843cfcef9ec8018fbbb8bc780a2857b627eb3775732b181d34d5501a499099940d8d5c78600ce2af11b39104a15cb7b4dcecdf9b04
-
SSDEEP
6144:PJXPy/W1U13vrimaqXrHkJRNM7j4ECOw9R21wSpFtFsC4qScICZ3G15UtGC5Ty2:FPy+1e3jilmSNMfO9RuV7tFs7cIf1WFV
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-