General
-
Target
SAMPLE & SPECIFICATIONS.vbs
-
Size
416KB
-
Sample
230208-xb16qadf2t
-
MD5
2b5ab50d62a83323b1a116aa971a68bb
-
SHA1
70be9ff6c13225a4d063e80573edf155d6bc4696
-
SHA256
1630e7ed4231aa7e175b188202686e4402d447cf6aeee2397deac02aae5f9702
-
SHA512
c8a4f643ec00b0a54b81b13ec03d704638060237ed790db0393ffc3053387c1ae7e1b4bf9b5eb81218557306357050b03515ce46a5f2828cc4538809a284663d
-
SSDEEP
6144:KX0/Cp51RQewTGd2IwtnsJ2xNHTJpump7CF9gl44wVIuUV5EQGnG15UtGazMyNk:KX0/CP1KNTGIxbJpui7eB5ICQ91WRjk
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.mcmprint.net - Port:
21 - Username:
[email protected] - Password:
l9Hh{#_(0shZ
Targets
-
-
Target
SAMPLE & SPECIFICATIONS.vbs
-
Size
416KB
-
MD5
2b5ab50d62a83323b1a116aa971a68bb
-
SHA1
70be9ff6c13225a4d063e80573edf155d6bc4696
-
SHA256
1630e7ed4231aa7e175b188202686e4402d447cf6aeee2397deac02aae5f9702
-
SHA512
c8a4f643ec00b0a54b81b13ec03d704638060237ed790db0393ffc3053387c1ae7e1b4bf9b5eb81218557306357050b03515ce46a5f2828cc4538809a284663d
-
SSDEEP
6144:KX0/Cp51RQewTGd2IwtnsJ2xNHTJpump7CF9gl44wVIuUV5EQGnG15UtGazMyNk:KX0/CP1KNTGIxbJpui7eB5ICQ91WRjk
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Blocklisted process makes network request
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-