General
-
Target
oferta urgente GARMON ENERGIAS, S.L. 02.09.2023.vbs
-
Size
417KB
-
Sample
230209-pmcnhacb26
-
MD5
7d8a0e790aa510d782dc26e392e059b5
-
SHA1
51cff6c25901887b9285db2a14bba6afecc1736b
-
SHA256
46cb28ba99ec877feb3fae26e33f934420fe8cc061d3dc06bfa660c25529f659
-
SHA512
794d31545335a5c52e3ed27f26113bf6cb4eb85e67cd67a2f597d3d837614ba54a39c191153ebd6976ca98bce0cbdd1726adfcd93870a5fa3dab2dac6d1d4c06
-
SSDEEP
12288:Yaui1A78oYQaHzgcOk+dUzUwoPOP61WfR:ciqk7rgwoPM6AfR
Malware Config
Extracted
Protocol: ftp- Host:
ftp.ectrowconstrutora.com.br - Port:
21 - Username:
[email protected] - Password:
@ectrowconstrutora.com.br
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.ectrowconstrutora.com.br - Port:
21 - Username:
[email protected] - Password:
@ectrowconstrutora.com.br
Targets
-
-
Target
oferta urgente GARMON ENERGIAS, S.L. 02.09.2023.vbs
-
Size
417KB
-
MD5
7d8a0e790aa510d782dc26e392e059b5
-
SHA1
51cff6c25901887b9285db2a14bba6afecc1736b
-
SHA256
46cb28ba99ec877feb3fae26e33f934420fe8cc061d3dc06bfa660c25529f659
-
SHA512
794d31545335a5c52e3ed27f26113bf6cb4eb85e67cd67a2f597d3d837614ba54a39c191153ebd6976ca98bce0cbdd1726adfcd93870a5fa3dab2dac6d1d4c06
-
SSDEEP
12288:Yaui1A78oYQaHzgcOk+dUzUwoPOP61WfR:ciqk7rgwoPM6AfR
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Blocklisted process makes network request
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-