General
-
Target
Wage_Plan_pdf.vbs
-
Size
167KB
-
Sample
240328-hzyyyafb9z
-
MD5
98d38570369050c3e503e18035277ad8
-
SHA1
384119a540c60cd5c853375a03fdc6080e0e359e
-
SHA256
fa2132896865e53db4ca14d8cad05bd53bcc176bed28e3a39a2ec99501e034a6
-
SHA512
8b1a83a1a4295690494749308f5558765c262305f1a2238a800f4c6fa8d9ebe0a6d52be4993dacf99c45a65c85ffd20107ff02f262d30372ef25c7ae412b4815
-
SSDEEP
3072:xpK6/PeadLaz+kxSzn9Lj7rZeqGbHfNcckB+HGuG5Elx7d5czQON8DdUqYy5:xpKyPeadLaz+k0zn1j7rZeqGbHfNcckg
Static task
static1
Behavioral task
behavioral1
Sample
Wage_Plan_pdf.vbs
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
Wage_Plan_pdf.vbs
Resource
win10v2004-20240226-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.myhydropowered.com - Port:
587 - Username:
africa@myhydropowered.com - Password:
q5NHtWyc5WKhunX - Email To:
vartaexperts@myhydropowered.com
Targets
-
-
Target
Wage_Plan_pdf.vbs
-
Size
167KB
-
MD5
98d38570369050c3e503e18035277ad8
-
SHA1
384119a540c60cd5c853375a03fdc6080e0e359e
-
SHA256
fa2132896865e53db4ca14d8cad05bd53bcc176bed28e3a39a2ec99501e034a6
-
SHA512
8b1a83a1a4295690494749308f5558765c262305f1a2238a800f4c6fa8d9ebe0a6d52be4993dacf99c45a65c85ffd20107ff02f262d30372ef25c7ae412b4815
-
SSDEEP
3072:xpK6/PeadLaz+kxSzn9Lj7rZeqGbHfNcckB+HGuG5Elx7d5czQON8DdUqYy5:xpKyPeadLaz+k0zn1j7rZeqGbHfNcckg
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-