General
-
Target
QUOTE0001113456250324.vbs
-
Size
167KB
-
Sample
240325-txjl1sff3s
-
MD5
167f6046d186ff6fcb3f6620063a0de2
-
SHA1
f2b98e37d076177d793b7933aaad6b1184ee58d5
-
SHA256
743a36af1075b2ed3a96048db1db5584273ec49029add4fdd00070650aca67a1
-
SHA512
4f399e5d28f4b12ae17f06c4a6eae742732f2047d5cd06a37aa06bb6eecc4a57215d5faac320a186fd48050516ee89c585aef9239ab57493fc70ef89bed23a3c
-
SSDEEP
3072:sT4yENVBkYr4LhpVXpKnupn8kH3DPbkhZi3eNR2DOFN0m4VGEvyM+gZM6MEMy2Im:sT4yENVOY0NpVXpK68kH3DPbkhZi3eNb
Static task
static1
Behavioral task
behavioral1
Sample
QUOTE0001113456250324.vbs
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
QUOTE0001113456250324.vbs
Resource
win10v2004-20240226-en
Malware Config
Extracted
Protocol: smtp- Host:
mail.ceviamonte.com.ar - Port:
587 - Username:
[email protected] - Password:
josetony
Extracted
agenttesla
Protocol: smtp- Host:
mail.ceviamonte.com.ar - Port:
587 - Username:
[email protected] - Password:
josetony - Email To:
[email protected]
Targets
-
-
Target
QUOTE0001113456250324.vbs
-
Size
167KB
-
MD5
167f6046d186ff6fcb3f6620063a0de2
-
SHA1
f2b98e37d076177d793b7933aaad6b1184ee58d5
-
SHA256
743a36af1075b2ed3a96048db1db5584273ec49029add4fdd00070650aca67a1
-
SHA512
4f399e5d28f4b12ae17f06c4a6eae742732f2047d5cd06a37aa06bb6eecc4a57215d5faac320a186fd48050516ee89c585aef9239ab57493fc70ef89bed23a3c
-
SSDEEP
3072:sT4yENVBkYr4LhpVXpKnupn8kH3DPbkhZi3eNR2DOFN0m4VGEvyM+gZM6MEMy2Im:sT4yENVOY0NpVXpK68kH3DPbkhZi3eNb
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-