General
-
Target
RFQ20240327_Commerical List_pdf.vbs
-
Size
37KB
-
Sample
240327-hqya2seh72
-
MD5
6a729791e8a9e77ba4443e0dec021d4b
-
SHA1
e1748a0c685509bfa1f6c4e27dfd91a2f2974a87
-
SHA256
574f418391643fc0503358469521b453be3b4126aa7f0a92c5d89d820eb15584
-
SHA512
4c6ce18c2796a107d742a27d5e7fd211ff1154c2a033dcd69d6cd2402f130c1165b01a9fc6b2dbcf55f8a65331d9a40e81b05ba49341fcd5845f37d3a7f65eb6
-
SSDEEP
768:u0QgBk2OWAZGc8NnKwiQj4p+NO+rAPw3uT:7aqNnKwsp8UPwa
Static task
static1
Behavioral task
behavioral1
Sample
RFQ20240327_Commerical List_pdf.vbs
Resource
win7-20240319-en
Behavioral task
behavioral2
Sample
RFQ20240327_Commerical List_pdf.vbs
Resource
win10v2004-20240226-en
Malware Config
Extracted
Protocol: smtp- Host:
mail.ispartamensucat.com.tr - Port:
587 - Username:
[email protected] - Password:
Qaz!'2020,
Extracted
agenttesla
Protocol: smtp- Host:
mail.ispartamensucat.com.tr - Port:
587 - Username:
[email protected] - Password:
Qaz!'2020, - Email To:
[email protected]
Targets
-
-
Target
RFQ20240327_Commerical List_pdf.vbs
-
Size
37KB
-
MD5
6a729791e8a9e77ba4443e0dec021d4b
-
SHA1
e1748a0c685509bfa1f6c4e27dfd91a2f2974a87
-
SHA256
574f418391643fc0503358469521b453be3b4126aa7f0a92c5d89d820eb15584
-
SHA512
4c6ce18c2796a107d742a27d5e7fd211ff1154c2a033dcd69d6cd2402f130c1165b01a9fc6b2dbcf55f8a65331d9a40e81b05ba49341fcd5845f37d3a7f65eb6
-
SSDEEP
768:u0QgBk2OWAZGc8NnKwiQj4p+NO+rAPw3uT:7aqNnKwsp8UPwa
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-