General
-
Target
a4f398506567316426b990b03abbcfdea1a14df75c46c4bd4fc4f61e0a2035dd
-
Size
13KB
-
Sample
240328-bpswlsac22
-
MD5
f72f5ac891b4beb3f74b57773a019a7e
-
SHA1
415b3ec46de6d5715d69f895fd89123028aded8e
-
SHA256
a4f398506567316426b990b03abbcfdea1a14df75c46c4bd4fc4f61e0a2035dd
-
SHA512
23d58baf26eadd897b2600112a6e541d1a8cbf1c90d9efddcba3226c59e45c0664b5b0e52f41aa21026c6abb3481b41f6dc145f3b2dd35b8965d71b09ee55c09
-
SSDEEP
384:H1dYDZFV8M7MtemC6mJXmzEfMky3zxBTzsK8ZpLeyUcjO/5GggBdVQtVy:HwVZ7lxMXky+rbO/KVJ
Static task
static1
Behavioral task
behavioral1
Sample
a4f398506567316426b990b03abbcfdea1a14df75c46c4bd4fc4f61e0a2035dd.vbs
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a4f398506567316426b990b03abbcfdea1a14df75c46c4bd4fc4f61e0a2035dd.vbs
Resource
win10v2004-20240226-en
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.elquijotebanquetes.com - Port:
21 - Username:
[email protected] - Password:
4r@d15PS!-!h
Targets
-
-
Target
a4f398506567316426b990b03abbcfdea1a14df75c46c4bd4fc4f61e0a2035dd
-
Size
13KB
-
MD5
f72f5ac891b4beb3f74b57773a019a7e
-
SHA1
415b3ec46de6d5715d69f895fd89123028aded8e
-
SHA256
a4f398506567316426b990b03abbcfdea1a14df75c46c4bd4fc4f61e0a2035dd
-
SHA512
23d58baf26eadd897b2600112a6e541d1a8cbf1c90d9efddcba3226c59e45c0664b5b0e52f41aa21026c6abb3481b41f6dc145f3b2dd35b8965d71b09ee55c09
-
SSDEEP
384:H1dYDZFV8M7MtemC6mJXmzEfMky3zxBTzsK8ZpLeyUcjO/5GggBdVQtVy:HwVZ7lxMXky+rbO/KVJ
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-