Overview

overview

10

Static

static

1

FESCO - Up...84.vbs

windows7-x64

10

FESCO - Up...84.vbs

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    FESCO - Updated SOA 2301303084.gz

  • Size

    276KB

  • Sample

    230208-mr7nbshh3t

  • MD5

    b80f48e72fd0b695cc10c9eb3e5b24f9

  • SHA1

    029f6588f906675e112d6749cf561eb5ba4787bc

  • SHA256

    424cb7300a7e85cf954f69a595b51bc97e1136cea43a20998e2d79ce3a85dcaf

  • SHA512

    58434e2bd71bec666788c890383880178965ceaf357df8f029ad93b8d7d425d1e5967e1d3088e786d50159d8dab806a09f572143736a8db9a945529193d8ce24

  • SSDEEP

    6144:OaFMupznGEJllmQFcbP+vdU92v2uyKuewJ/Q47x1Qj14Z7jfuaF8:2utndxmaci02vGt1Q4DQj14Z+1

Score
10/10
agentteslaguloadercollectiondownloaderkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      FESCO - Updated SOA 2301303084.vbs

    • Size

      414KB

    • MD5

      a8c7f9007a7bf03c02295d13a2fba1aa

    • SHA1

      6f0d1e8217091e9df4b9c1a65024dfb9a641d1b2

    • SHA256

      0dcabaa6cc8989400ef065854a8167a969b7cdaa5e766ecc706a8e55f10ab03e

    • SHA512

      ad3a0baa23def4a73a67f1843cfcef9ec8018fbbb8bc780a2857b627eb3775732b181d34d5501a499099940d8d5c78600ce2af11b39104a15cb7b4dcecdf9b04

    • SSDEEP

      6144:PJXPy/W1U13vrimaqXrHkJRNM7j4ECOw9R21wSpFtFsC4qScICZ3G15UtGC5Ty2:FPy+1e3jilmSNMfO9RuV7tFs7cIf1WFV

    Score
    10/10
    agentteslaguloadercollectiondownloaderkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Blocklisted process makes network request

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks