General
-
Target
PAYMENT INVOICE.rar
-
Size
17KB
-
Sample
240327-lzg7zahf87
-
MD5
152a1a11e9e26efa876e78886f080f52
-
SHA1
2349d8a9bab40be0c52587b7adaea8437c1fd6d4
-
SHA256
cfc9c0ae88446c90e72083988a9a05688a2c63341849e73fcc2c8b18bc17bb67
-
SHA512
d91b25e913b51d1037c6e78b898013cb56735b2d14689f941576225f24c38d0958bc77f8d8b60e2b7c1cf57f21741b964d9a3241c8ad7feb0df6ba1c6a00061d
-
SSDEEP
384:lCnhNTxc0eUUsKn2ACM2ZEFOgbzkVyLjvMvkcrr0KzMQw6a:QnhNTxTeUUsKn9CM/4AxvMvk+s6a
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
cp8nl.hyperhost.ua - Port:
587 - Username:
[email protected] - Password:
7213575aceACE@# - Email To:
[email protected]
Targets
-
-
Target
Stentmaster.vbs
-
Size
38KB
-
MD5
613702fe5cd92cf1be6aee56add6c9ec
-
SHA1
99ecdbd2acfe1da9de01679f97d1f48e96af8929
-
SHA256
26e21e671b5aaad789b9b55783987f6654adc120c8f70c6ccecc39c349eecbe1
-
SHA512
c9eda14f03f6e94659494ea255c43b3dd4a334cb1070a1599a14dea2a30fd880115427a9a4058da0f1e78adfd889c8469c9e1d52cf2213cd4057a705d1f0bc5e
-
SSDEEP
768:u0LgBYRBVWAZGc8NnKwiQD2g+Q8z3SsJb:w6qNnKw6zz35
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-