General
-
Target
https://firebasestorage.googleapis.com/v0/b/droid-21a46.appspot.com/o/VBS%20NO%20STARTUP.vbs?alt=media&token=9c52f2bc-e540-47ee-a7b1-677585deacca
-
Sample
230330-z72hgaec62
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://firebasestorage.googleapis.com/v0/b/droid-21a46.appspot.com/o/VBS%20NO%20STARTUP.vbs?alt=media&token=9c52f2bc-e540-47ee-a7b1-677585deacca
Resource
win10v2004-20230220-en
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.sisoempresarialsas.com - Port:
21 - Username:
cousin@sisoempresarialsas.com - Password:
_X@Y2JZ!+7b+
Targets
-
-
Target
https://firebasestorage.googleapis.com/v0/b/droid-21a46.appspot.com/o/VBS%20NO%20STARTUP.vbs?alt=media&token=9c52f2bc-e540-47ee-a7b1-677585deacca
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-