General
-
Target
TRANSFERENCIA.vbs
-
Size
37KB
-
Sample
240326-pxw5wsdd3x
-
MD5
70e2f192eb252c254ebdfb15dd1f6817
-
SHA1
a62bf451789a65d45678e691760c81c3d412b49c
-
SHA256
047a32d755255cc196414105150bc45efe6bd37d1d0951ff7b7628321227cae6
-
SHA512
8e8b9b9068c37603e01c74a34c24400afb6594f2d05b9ea8969c3606ce128f4191650ec72437cab639c4c9af7522b1b6dc3425d7f6ab08d5bac5615a095efdbe
-
SSDEEP
768:u0zgBjYWAZGc8NnKwiQMYbAPjDpHLFggPYC:4YqNnKwkeAXhL6gPx
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.cash4cars.nz - Port:
587 - Username:
[email protected] - Password:
logs2024! - Email To:
[email protected]
Targets
-
-
Target
TRANSFERENCIA.vbs
-
Size
37KB
-
MD5
70e2f192eb252c254ebdfb15dd1f6817
-
SHA1
a62bf451789a65d45678e691760c81c3d412b49c
-
SHA256
047a32d755255cc196414105150bc45efe6bd37d1d0951ff7b7628321227cae6
-
SHA512
8e8b9b9068c37603e01c74a34c24400afb6594f2d05b9ea8969c3606ce128f4191650ec72437cab639c4c9af7522b1b6dc3425d7f6ab08d5bac5615a095efdbe
-
SSDEEP
768:u0zgBjYWAZGc8NnKwiQMYbAPjDpHLFggPYC:4YqNnKwkeAXhL6gPx
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-