General
-
Target
New Order - ZKTECO.vbs
-
Size
462KB
-
Sample
230213-mpdx8scf59
-
MD5
a7d3d24729ec8e088d4358b9f37d7486
-
SHA1
8e54990bda05247b908065e2c7f0125326dd6671
-
SHA256
a7e25df59ef9730adda20035b02a904e2a9d2bf3ed74b9236899867ed093e4dd
-
SHA512
855711683ade1d43d708b6902653f3cff6551e6958912fbcb370dd69ea935f00dd9158383d33d642b217f96da45d07349f6a065837d3109c7bb11838f56b7cae
-
SSDEEP
12288:div0VZMgiQRCjww7rDCHeaOD6v2h4n9zY/KYM:JVZMgiQRCjRfDCHbvemf
Malware Config
Extracted
Protocol: ftp- Host:
ftp.vintageconcepts.biz - Port:
21 - Username:
[email protected] - Password:
@vintageconcepts.biz
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.vintageconcepts.biz - Port:
21 - Username:
[email protected] - Password:
@vintageconcepts.biz
Targets
-
-
Target
New Order - ZKTECO.vbs
-
Size
462KB
-
MD5
a7d3d24729ec8e088d4358b9f37d7486
-
SHA1
8e54990bda05247b908065e2c7f0125326dd6671
-
SHA256
a7e25df59ef9730adda20035b02a904e2a9d2bf3ed74b9236899867ed093e4dd
-
SHA512
855711683ade1d43d708b6902653f3cff6551e6958912fbcb370dd69ea935f00dd9158383d33d642b217f96da45d07349f6a065837d3109c7bb11838f56b7cae
-
SSDEEP
12288:div0VZMgiQRCjww7rDCHeaOD6v2h4n9zY/KYM:JVZMgiQRCjRfDCHbvemf
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Blocklisted process makes network request
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-