Overview

overview

10

Static

static

1

PRODUKT_.vbe

windows7-x64

10

PRODUKT_.vbe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Produkt nové objednávky.img

  • Size

    1.2MB

  • Sample

    230213-rq87zsdg29

  • MD5

    89ef105f50d2894ba927aa0a22ccaa8e

  • SHA1

    b66225042bc0ad015a966a641a7b605d1878c5e7

  • SHA256

    464aba033355b90f8c0d2cf8811c267d61e0660b7c4eecfba45be45b9ef7edb7

  • SHA512

    3580ecb366f590721205694db00c6bcd5adf411f0634c2c93cd0dcd6313b630b0b17374b311e48bd86b4958acfcdc71f9e7a6a64df883751c21648046a533015

  • SSDEEP

    1536:/tvHA3YSlpGtiIwN0eC6b5pivZkFwjYkRakQSAHkxhATo:/FHA3YSlUtyeeCm5cvZkajJUkaeL

Score
10/10
agentteslaguloadercollectiondownloaderkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5693068931:AAGSQSNIWDJM1FzeZVNHS020I9wVBrQdkRM/

Targets

    • Target

      PRODUKT_.VBE

    • Size

      51KB

    • MD5

      8566f250323d019e194a8d06e8145eb3

    • SHA1

      8532f545933a23ccad71e6ac6953b605df609a7e

    • SHA256

      5e04ea315ad3b90a431ee7b51dc7d06128f0868518cfcfc5e4f6ed8cb4902982

    • SHA512

      40151396ec17370fe42031172e8c8e5d1cefe23207d19f9eecf7a91c616eed9c7e8103c927ed6af6baed1a1ab2885486a41cd8878e5643ade4c2c3ee08cf8148

    • SSDEEP

      1536:KHA3YSlpGtiIwN0eC6b5pivZkFwjYkRakQSAHkxhAToN:KHA3YSlUtyeeCm5cvZkajJUkaeLN

    Score
    10/10
    agentteslaguloadercollectiondownloaderkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Blocklisted process makes network request

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

      collection

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks