General
-
Target
Sipariş.28.vbs
-
Size
125KB
-
Sample
230208-xb2ggsdf21
-
MD5
90f6cad58fa39455b2bd712eb9a9e5d4
-
SHA1
72e110e777392aa23aba252deedbae00ce93d01a
-
SHA256
88caf41122ae930ca97f30367279b2065148a9319224e34c132eab0cfad2561b
-
SHA512
1cdb50e920c078ed39000b63cf70e0351795d5e7704b29c1905d0678dae5e721bfbf26b57ecf667990ab55c7076add780fffe2478b44bb5ddfb2f3f2d6b1f33a
-
SSDEEP
1536:FFHXmJmnq3Cj74LIHCWF0KcBFuw4AZfsz/1U/727jPysWIJuHhgz26qZgFfga7oj:FYYq3Cj8LqE9ly7jPTWCuHiq0fga7oj
Malware Config
Extracted
https://drive.google.com/uc?export=download&id=1-WQl_IuA-mYLU2KIuYz-IB-5GgJqjQQP
Extracted
agenttesla
Protocol: smtp- Host:
smtp.1and1.es - Port:
587 - Username:
[email protected] - Password:
Adara2020* - Email To:
[email protected]
Targets
-
-
Target
Sipariş.28.vbs
-
Size
125KB
-
MD5
90f6cad58fa39455b2bd712eb9a9e5d4
-
SHA1
72e110e777392aa23aba252deedbae00ce93d01a
-
SHA256
88caf41122ae930ca97f30367279b2065148a9319224e34c132eab0cfad2561b
-
SHA512
1cdb50e920c078ed39000b63cf70e0351795d5e7704b29c1905d0678dae5e721bfbf26b57ecf667990ab55c7076add780fffe2478b44bb5ddfb2f3f2d6b1f33a
-
SSDEEP
1536:FFHXmJmnq3Cj74LIHCWF0KcBFuw4AZfsz/1U/727jPysWIJuHhgz26qZgFfga7oj:FYYq3Cj8LqE9ly7jPTWCuHiq0fga7oj
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Blocklisted process makes network request
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-