General
-
Target
de7041f25e9f3a988a90b0fdf1d8e90aa8a6896c594eacba0b0fa1b81eca90dd
-
Size
38KB
-
Sample
240328-btbg5aac76
-
MD5
2e0c2134e45ab06b68e1f2c9eaac7890
-
SHA1
24d2aa2cb1cc82cbde2f934d49aeedf47c6ba74d
-
SHA256
de7041f25e9f3a988a90b0fdf1d8e90aa8a6896c594eacba0b0fa1b81eca90dd
-
SHA512
84d21260a0da041dd391c725b6e9dd96c49dbc4fc9f30303a81e24f4a459b4df34937c608cbbcf32ecfac96983308a4ba91e80c390399d91ea8dd3249b0c4c24
-
SSDEEP
384:u0ogBz3UIWz0AujGKoCJmMuttrW6ku83V3aiHw2oaXw4Crb8Na/AZrzbtzocLCKV:u0ogBz9WAZGc8NnKwiQQS3AhHtocL3F
Static task
static1
Behavioral task
behavioral1
Sample
de7041f25e9f3a988a90b0fdf1d8e90aa8a6896c594eacba0b0fa1b81eca90dd.vbs
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
de7041f25e9f3a988a90b0fdf1d8e90aa8a6896c594eacba0b0fa1b81eca90dd.vbs
Resource
win10v2004-20240226-en
Malware Config
Extracted
Protocol: smtp- Host:
mail.ispartamensucat.com.tr - Port:
587 - Username:
[email protected] - Password:
Qaz!'2020,
Extracted
agenttesla
Protocol: smtp- Host:
mail.ispartamensucat.com.tr - Port:
587 - Username:
[email protected] - Password:
Qaz!'2020, - Email To:
[email protected]
Targets
-
-
Target
de7041f25e9f3a988a90b0fdf1d8e90aa8a6896c594eacba0b0fa1b81eca90dd
-
Size
38KB
-
MD5
2e0c2134e45ab06b68e1f2c9eaac7890
-
SHA1
24d2aa2cb1cc82cbde2f934d49aeedf47c6ba74d
-
SHA256
de7041f25e9f3a988a90b0fdf1d8e90aa8a6896c594eacba0b0fa1b81eca90dd
-
SHA512
84d21260a0da041dd391c725b6e9dd96c49dbc4fc9f30303a81e24f4a459b4df34937c608cbbcf32ecfac96983308a4ba91e80c390399d91ea8dd3249b0c4c24
-
SSDEEP
384:u0ogBz3UIWz0AujGKoCJmMuttrW6ku83V3aiHw2oaXw4Crb8Na/AZrzbtzocLCKV:u0ogBz9WAZGc8NnKwiQQS3AhHtocL3F
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-