General
-
Target
9421788d5825b5db448507b79370f84e7972a1851fa06730423e0a3176a164c3vbs.vbs
-
Size
54KB
-
Sample
231205-wtr54aec49
-
MD5
efe89d1da63404c434d56b59b1c3c6bd
-
SHA1
51d3bd2d1bc60a598f6fb26613732d3c3444dd92
-
SHA256
9421788d5825b5db448507b79370f84e7972a1851fa06730423e0a3176a164c3
-
SHA512
bb4e6a91649558d1933039a589a28a80455610b1199d05f3b9b5b15ecd22352fb7df6e91ed579ed0cdce120d157b374062cb755e95674a85fe0db7985a5e7952
-
SSDEEP
768:xrjq4Kw/FiEVWKbkNJFuABuTunNWQwB4JAkIx3TUqtp8s:R+4JdNbkLFuAgiEQw2J5STz2s
Static task
static1
Behavioral task
behavioral1
Sample
9421788d5825b5db448507b79370f84e7972a1851fa06730423e0a3176a164c3vbs.vbs
Resource
win7-20231025-en
Behavioral task
behavioral2
Sample
9421788d5825b5db448507b79370f84e7972a1851fa06730423e0a3176a164c3vbs.vbs
Resource
win10v2004-20231130-en
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.mcmprint.net - Port:
21 - Username:
[email protected] - Password:
pK@7[r0Y?XFT
Targets
-
-
Target
9421788d5825b5db448507b79370f84e7972a1851fa06730423e0a3176a164c3vbs.vbs
-
Size
54KB
-
MD5
efe89d1da63404c434d56b59b1c3c6bd
-
SHA1
51d3bd2d1bc60a598f6fb26613732d3c3444dd92
-
SHA256
9421788d5825b5db448507b79370f84e7972a1851fa06730423e0a3176a164c3
-
SHA512
bb4e6a91649558d1933039a589a28a80455610b1199d05f3b9b5b15ecd22352fb7df6e91ed579ed0cdce120d157b374062cb755e95674a85fe0db7985a5e7952
-
SSDEEP
768:xrjq4Kw/FiEVWKbkNJFuABuTunNWQwB4JAkIx3TUqtp8s:R+4JdNbkLFuAgiEQw2J5STz2s
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-