General
-
Target
Wage_plan_pdf.rar
-
Size
66KB
-
Sample
240328-jvzkcade83
-
MD5
ec7a8850d50a7493ece43a2b26a185d7
-
SHA1
29cd9d7c9a6003c2aef13b106087535754176c5f
-
SHA256
561fec9f88459a047a4a859c68ec93743aba2c4f18d0243fba7fe514ffdf346e
-
SHA512
a42556321abc57ab2b64650ba8c2871bb99939ec4c051610229a05ad53f7a857573d44cdf5a97646081f50929f62e3614e52286fa8c4b19842e2116cdb883318
-
SSDEEP
1536:CUGddsfITIWZhd+JjEJw8NhBr9pCC0d00eY+ggyL:+XsQTZ/hqSnpp70d0fgg8
Static task
static1
Behavioral task
behavioral1
Sample
Wage_Plan_pdf.vbs
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Wage_Plan_pdf.vbs
Resource
win10v2004-20231215-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.myhydropowered.com - Port:
587 - Username:
africa@myhydropowered.com - Password:
q5NHtWyc5WKhunX - Email To:
vartaexperts@myhydropowered.com
Targets
-
-
Target
Wage_Plan_pdf.vbs
-
Size
167KB
-
MD5
98d38570369050c3e503e18035277ad8
-
SHA1
384119a540c60cd5c853375a03fdc6080e0e359e
-
SHA256
fa2132896865e53db4ca14d8cad05bd53bcc176bed28e3a39a2ec99501e034a6
-
SHA512
8b1a83a1a4295690494749308f5558765c262305f1a2238a800f4c6fa8d9ebe0a6d52be4993dacf99c45a65c85ffd20107ff02f262d30372ef25c7ae412b4815
-
SSDEEP
3072:xpK6/PeadLaz+kxSzn9Lj7rZeqGbHfNcckB+HGuG5Elx7d5czQON8DdUqYy5:xpKyPeadLaz+k0zn1j7rZeqGbHfNcckg
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-