General
-
Target
20230208100.cab
-
Size
69KB
-
Sample
230208-pzzc2aag77
-
MD5
4532eb0262ffbefc43e63f2ea7b8c114
-
SHA1
41a4995eb49e232f59e822c40036d947e8ec9b38
-
SHA256
00318a2530828681e8a6741ca987833a4bfaae7d622fcb60295d38170e624bf1
-
SHA512
d5dc529dddbaec6f0448160e97a3e28baae6289dec2d3dffc91874d9dd73edf819fd97482222c595fc3e9d4034821c3954977a0e31490737ddb7c08f464a7d97
-
SSDEEP
1536:w0vFitxdSJoDgdmyD3PDLqkSR0Hpjsrk/RdcxVPn3L:w9UiD0D3PPHSR0wk/RuxZ3L
Static task
static1
Behavioral task
behavioral1
Sample
20230208100.vbs
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
20230208100.vbs
Resource
win10v2004-20220812-en
Malware Config
Extracted
http://megookbpnq.cf/Uninter.thn
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.valvulasthermovalve.cl/ - Port:
21 - Username:
[email protected] - Password:
LILKOOLL14!!
Targets
-
-
Target
20230208100.vbs
-
Size
131KB
-
MD5
41dc8a33e0ad3c7e1dc6a7e82ceef9f3
-
SHA1
ef04a98fbb86bd0184849d8af88eb34ebdef877b
-
SHA256
25c62da172ade20b30e71185ff9ae1cb19713dbc8a86c306167e7e046912c3b6
-
SHA512
400e6067d3b24763396250ddc5dcc41cfcf7093ad4f498e8a8427c97dd2464cf05041bcd48c8d69daf741413601b9affd958d45c6c479fa882b1d2cfb8824fa0
-
SSDEEP
3072:v/rJmOzfVKUTvt3cXHRTj8ae2ZgnUVUo4WJrs0uoOpXdOQYtjQQwMBF+8n8RGYiw:v/gcfs+qxToS6U6+0pdaQQwm5Yf/
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-