Overview

overview

10

Static

static

1

Richiesta ...df.vbs

windows7-x64

10

Richiesta ...df.vbs

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Richiesta di preventivo_RFQ03272024_pdf.vbs

  • Size

    38KB

  • Sample

    240328-h1jkmsfc2y

  • MD5

    8a0530bfc9d13277e0e17d29a3332e2f

  • SHA1

    f4b0e3d14f828966aa757efa565e7e9b718b128b

  • SHA256

    57bda585ab46e7352a204f54d86544ff5581a1ea7448d4ef1f82b1f9b2367867

  • SHA512

    2d7781310c52b0a50bae3694ba09eb876b7710972417292c655e8808d44672ef2a6c2639d30f0bcec4bcf46ceae8690b2e545c4db8456594694e5d01579bf0c1

  • SSDEEP

    768:u0mgBX0WAZGc8NnKwiQH5TjBXloK07vxCqnkP:9EqNnKwf5R1oK07JCqnw

Score
10/10
agentteslaguloaderdownloaderkeyloggerspywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.inkomech.com
  • Port:
    587
  • Username:
    amir.hussin@inkomech.com
  • Password:
    Amir@2021

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.inkomech.com
  • Port:
    587
  • Username:
    amir.hussin@inkomech.com
  • Password:
    Amir@2021
  • Email To:
    kingpentecost22@gmail.com

Targets

    • Target

      Richiesta di preventivo_RFQ03272024_pdf.vbs

    • Size

      38KB

    • MD5

      8a0530bfc9d13277e0e17d29a3332e2f

    • SHA1

      f4b0e3d14f828966aa757efa565e7e9b718b128b

    • SHA256

      57bda585ab46e7352a204f54d86544ff5581a1ea7448d4ef1f82b1f9b2367867

    • SHA512

      2d7781310c52b0a50bae3694ba09eb876b7710972417292c655e8808d44672ef2a6c2639d30f0bcec4bcf46ceae8690b2e545c4db8456594694e5d01579bf0c1

    • SSDEEP

      768:u0mgBX0WAZGc8NnKwiQH5TjBXloK07vxCqnkP:9EqNnKwf5R1oK07JCqnw

    Score
    10/10
    agentteslaguloaderdownloaderkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks