General
-
Target
20230208100.vbs
-
Size
131KB
-
Sample
230208-xb2ggsed66
-
MD5
41dc8a33e0ad3c7e1dc6a7e82ceef9f3
-
SHA1
ef04a98fbb86bd0184849d8af88eb34ebdef877b
-
SHA256
25c62da172ade20b30e71185ff9ae1cb19713dbc8a86c306167e7e046912c3b6
-
SHA512
400e6067d3b24763396250ddc5dcc41cfcf7093ad4f498e8a8427c97dd2464cf05041bcd48c8d69daf741413601b9affd958d45c6c479fa882b1d2cfb8824fa0
-
SSDEEP
3072:v/rJmOzfVKUTvt3cXHRTj8ae2ZgnUVUo4WJrs0uoOpXdOQYtjQQwMBF+8n8RGYiw:v/gcfs+qxToS6U6+0pdaQQwm5Yf/
Static task
static1
Behavioral task
behavioral1
Sample
20230208100.vbs
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
20230208100.vbs
Resource
win10v2004-20220812-en
Malware Config
Extracted
http://megookbpnq.cf/Uninter.thn
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.valvulasthermovalve.cl/ - Port:
21 - Username:
[email protected] - Password:
LILKOOLL14!!
Targets
-
-
Target
20230208100.vbs
-
Size
131KB
-
MD5
41dc8a33e0ad3c7e1dc6a7e82ceef9f3
-
SHA1
ef04a98fbb86bd0184849d8af88eb34ebdef877b
-
SHA256
25c62da172ade20b30e71185ff9ae1cb19713dbc8a86c306167e7e046912c3b6
-
SHA512
400e6067d3b24763396250ddc5dcc41cfcf7093ad4f498e8a8427c97dd2464cf05041bcd48c8d69daf741413601b9affd958d45c6c479fa882b1d2cfb8824fa0
-
SSDEEP
3072:v/rJmOzfVKUTvt3cXHRTj8ae2ZgnUVUo4WJrs0uoOpXdOQYtjQQwMBF+8n8RGYiw:v/gcfs+qxToS6U6+0pdaQQwm5Yf/
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-