General
-
Target
Excel_7712202816310TD01_20230228_17366 XLS.vbs
-
Size
125KB
-
Sample
230208-xb2ggsdf2z
-
MD5
7a8b9600aa46176d0986787d1b1f3e1f
-
SHA1
4db3fab3f61941a751c3e0a68937ed2a6fb51ddc
-
SHA256
0ca5f0541030610716ffd5f2c2f0d7372dca5d71e9cf0fd482a84db53fd34a94
-
SHA512
89025b4ce330d8a7e02aee298cf3ac0caf7c9216939f34b31d5762e4f8dd0c9d8d37745d054eba34b12e990b534f90ffe1b38210774a5632ffadd5e78b1b13a2
-
SSDEEP
3072:Ftnq3Cj8Lqa7vk7F9ky7jP2WCuH+q0qHgFa6H:Dnw/ma7vk7F9kyXjH90qH+aO
Malware Config
Extracted
https://drive.google.com/uc?export=download&id=1UnU9ydYXvBsgDAS_xzEWlzcaiV6O_QdT
Extracted
agenttesla
Protocol: smtp- Host:
mail.1and1.es - Port:
587 - Username:
[email protected] - Password:
vanesalucia00 - Email To:
[email protected]
Targets
-
-
Target
Excel_7712202816310TD01_20230228_17366 XLS.vbs
-
Size
125KB
-
MD5
7a8b9600aa46176d0986787d1b1f3e1f
-
SHA1
4db3fab3f61941a751c3e0a68937ed2a6fb51ddc
-
SHA256
0ca5f0541030610716ffd5f2c2f0d7372dca5d71e9cf0fd482a84db53fd34a94
-
SHA512
89025b4ce330d8a7e02aee298cf3ac0caf7c9216939f34b31d5762e4f8dd0c9d8d37745d054eba34b12e990b534f90ffe1b38210774a5632ffadd5e78b1b13a2
-
SSDEEP
3072:Ftnq3Cj8Lqa7vk7F9ky7jP2WCuH+q0qHgFa6H:Dnw/ma7vk7F9kyXjH90qH+aO
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Blocklisted process makes network request
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-