Overview

overview

10

Static

static

1

Transf....vbs

windows7-x64

10

Transf....vbs

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Transf....vbs

  • Size

    123KB

  • Sample

    230208-xb2ggsdf2v

  • MD5

    84f3d45749a8fbf516a9fa3366b29e26

  • SHA1

    6c5c766ceae655caf5468da5b41346eec0602cc7

  • SHA256

    7d4aad4ccac671a9a98a5205380b89553b30fccbbf90b477a3e19cb4f9d2c55f

  • SHA512

    5238bb38e86e38426b2ceba742cb6732d2877e5c8b27446425df2b7a9895a429dd6c51d2fced2a3c2ec65e54c655e5ba9634a391565183be55666242698b0914

  • SSDEEP

    3072:FXDq3Cj8LqSZ9Qy7jPLWCuHQq0mug5yzf:1Dw/mg9QyXYHn0muPT

Score
10/10
agentteslaguloadercollectiondownloaderkeyloggerspywarestealertrojan

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://drive.google.com/uc?export=download&id=1_-w5Me4EvTzbdzIX_v_YMZdeLAzHrV5z

Targets

    • Target

      Transf....vbs

    • Size

      123KB

    • MD5

      84f3d45749a8fbf516a9fa3366b29e26

    • SHA1

      6c5c766ceae655caf5468da5b41346eec0602cc7

    • SHA256

      7d4aad4ccac671a9a98a5205380b89553b30fccbbf90b477a3e19cb4f9d2c55f

    • SHA512

      5238bb38e86e38426b2ceba742cb6732d2877e5c8b27446425df2b7a9895a429dd6c51d2fced2a3c2ec65e54c655e5ba9634a391565183be55666242698b0914

    • SSDEEP

      3072:FXDq3Cj8LqSZ9Qy7jPLWCuHQq0mug5yzf:1Dw/mg9QyXYHn0muPT

    Score
    10/10
    agentteslaguloadercollectiondownloaderkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Blocklisted process makes network request

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

      collection

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks