General
-
Target
salaryinfo24.vbs
-
Size
167KB
-
Sample
240328-hzyyyach58
-
MD5
41bd6059396fdb7e5fd6692c003b58a0
-
SHA1
9da6c16a501a619e44652bf1eb3eea3012835f53
-
SHA256
9f20ac2fe0041feeda59946899fe0ae20d0d74de009990023102a7d902065324
-
SHA512
a79a1770e4aeefe5a72cc3478cd5fc59c9cfa85b9de644aef1e00c4971b065269c2f68e07223b3115695e88a0c798132fc2c8a52a6af4f0f44679ca5339ba119
-
SSDEEP
3072:UpK6/PeadLaz+kxSzn9Lj7rZeqGbHfNcckB+HGuG5Elx7d5czQON8Dh20PWgn:UpKyPeadLaz+k0zn1j7rZeqGbHfNcckk
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.myhydropowered.com - Port:
587 - Username:
abacus@myhydropowered.com - Password:
0nVaQweHLu8RyVL - Email To:
heavywealth@myhydropowered.com
Targets
-
-
Target
salaryinfo24.vbs
-
Size
167KB
-
MD5
41bd6059396fdb7e5fd6692c003b58a0
-
SHA1
9da6c16a501a619e44652bf1eb3eea3012835f53
-
SHA256
9f20ac2fe0041feeda59946899fe0ae20d0d74de009990023102a7d902065324
-
SHA512
a79a1770e4aeefe5a72cc3478cd5fc59c9cfa85b9de644aef1e00c4971b065269c2f68e07223b3115695e88a0c798132fc2c8a52a6af4f0f44679ca5339ba119
-
SSDEEP
3072:UpK6/PeadLaz+kxSzn9Lj7rZeqGbHfNcckB+HGuG5Elx7d5czQON8Dh20PWgn:UpKyPeadLaz+k0zn1j7rZeqGbHfNcckk
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-