General
-
Target
b1ffeaa164e3794b364d3f9aca4f02d2.bin
-
Size
25KB
-
Sample
230331-casgzagc49
-
MD5
ac9ea3b9ec57c241e5f4653bfd60d2a0
-
SHA1
bc2e2e01cef33e92d23f4228e7d2e5df9eb5bd1c
-
SHA256
82b9b8a27c9207c488225a48956b069210aa8aafbc33f965c564b1079cd3f231
-
SHA512
cbc617849e3eb90c6c1284440c63d0be4eb6c67a002d3f1c718c914480e700fd5b748171d1ea924c7e2e7ab377424191d0b8905af12060ebc49f5ea8abe51f44
-
SSDEEP
384:HiZLbAs7t/jwHkg5oU49syrjdzJlJUwQ3Wj3ggtx8xL2UgJ4VImjUuoCLsGu40Qa:CZnAqUHkg/4G0jJ8mE1+JDm4osPQwX
Static task
static1
Behavioral task
behavioral1
Sample
ad9ae0fa9d69baa98a9a0ba1660e93b6f87c8f1f226b01b0fa903dcb84cac6dc.vbs
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
ad9ae0fa9d69baa98a9a0ba1660e93b6f87c8f1f226b01b0fa903dcb84cac6dc.vbs
Resource
win10v2004-20230220-en
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.sisoempresarialsas.com - Port:
21 - Username:
droid@sisoempresarialsas.com - Password:
.!LV?]FKWxUy
Targets
-
-
Target
ad9ae0fa9d69baa98a9a0ba1660e93b6f87c8f1f226b01b0fa903dcb84cac6dc.vbs
-
Size
867KB
-
MD5
b1ffeaa164e3794b364d3f9aca4f02d2
-
SHA1
3aaaddbf7c7c21b2b5886eefa79e0abc7d6b8d69
-
SHA256
ad9ae0fa9d69baa98a9a0ba1660e93b6f87c8f1f226b01b0fa903dcb84cac6dc
-
SHA512
b84776e41414252f6da59fc26dc12560b29d8e0eaf9a515cafcd47bd15d6702ee7ee3c2f0fd82d23ea862381896b6438851c8e4aad7aa5c5ca83efca93f3e396
-
SSDEEP
1536:D5FjaXGxbMN75ro6BHB1ZoVuwDTTTTNVBTwqq/YvldOJl7dhWFHFbTTYTEsTT7l2:fQZ4x
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-