Overview

overview

10

Static

static

1

RFQ2024032...st.vbs

windows7-x64

10

RFQ2024032...st.vbs

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    RFQ20240327_Commerical List.vbs

  • Size

    37KB

  • Sample

    240327-hqya2shh8w

  • MD5

    3ff689ec2afa2b53b3d5ae76311c9134

  • SHA1

    d97f2bc2c8b06b112853f5a90957b74e5483d75c

  • SHA256

    06170ef8b08bd8d2e7852f0223a3a5cfcd2e13110424a091e97da539cb5daeab

  • SHA512

    c47944327eff299d4f2a35b288016614b538c6920546d311406202b79d22155a82b2d498be78a6a57be3a826583a8e286c45d8a8f562215b8f99f92b62f1ac09

  • SSDEEP

    768:u0NgBv2rWAZGc8NnKwiQmV1RuAP11GtbpZS:+cqNnKwGuUvmbC

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.inkomech.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Amir@2021

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      RFQ20240327_Commerical List.vbs

    • Size

      37KB

    • MD5

      3ff689ec2afa2b53b3d5ae76311c9134

    • SHA1

      d97f2bc2c8b06b112853f5a90957b74e5483d75c

    • SHA256

      06170ef8b08bd8d2e7852f0223a3a5cfcd2e13110424a091e97da539cb5daeab

    • SHA512

      c47944327eff299d4f2a35b288016614b538c6920546d311406202b79d22155a82b2d498be78a6a57be3a826583a8e286c45d8a8f562215b8f99f92b62f1ac09

    • SSDEEP

      768:u0NgBv2rWAZGc8NnKwiQmV1RuAP11GtbpZS:+cqNnKwGuUvmbC

    Score
    10/10
    agentteslakeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks