General
-
Target
Produkt nové objednávky.img
-
Size
1.2MB
-
Sample
230213-rq87zsdg29
-
MD5
89ef105f50d2894ba927aa0a22ccaa8e
-
SHA1
b66225042bc0ad015a966a641a7b605d1878c5e7
-
SHA256
464aba033355b90f8c0d2cf8811c267d61e0660b7c4eecfba45be45b9ef7edb7
-
SHA512
3580ecb366f590721205694db00c6bcd5adf411f0634c2c93cd0dcd6313b630b0b17374b311e48bd86b4958acfcdc71f9e7a6a64df883751c21648046a533015
-
SSDEEP
1536:/tvHA3YSlpGtiIwN0eC6b5pivZkFwjYkRakQSAHkxhATo:/FHA3YSlUtyeeCm5cvZkajJUkaeL
Static task
static1
Behavioral task
behavioral1
Sample
PRODUKT_.vbe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
PRODUKT_.vbe
Resource
win10v2004-20220812-en
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot5693068931:AAGSQSNIWDJM1FzeZVNHS020I9wVBrQdkRM/
Targets
-
-
Target
PRODUKT_.VBE
-
Size
51KB
-
MD5
8566f250323d019e194a8d06e8145eb3
-
SHA1
8532f545933a23ccad71e6ac6953b605df609a7e
-
SHA256
5e04ea315ad3b90a431ee7b51dc7d06128f0868518cfcfc5e4f6ed8cb4902982
-
SHA512
40151396ec17370fe42031172e8c8e5d1cefe23207d19f9eecf7a91c616eed9c7e8103c927ed6af6baed1a1ab2885486a41cd8878e5643ade4c2c3ee08cf8148
-
SSDEEP
1536:KHA3YSlpGtiIwN0eC6b5pivZkFwjYkRakQSAHkxhAToN:KHA3YSlUtyeeCm5cvZkajJUkaeLN
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-