General
-
Target
Transaction Advice_280324-WS-394-1247.vbe
-
Size
37KB
-
Sample
240328-xamlyaeb77
-
MD5
59200834d1f2d2e7bab5ba30673d4cfc
-
SHA1
b6bbf692dd8d9be2e3a0aff8ebee2cc45c072c50
-
SHA256
27246335d057b1f5bcaafd4655ad328b24400b2337801ae27695558484695419
-
SHA512
c387442afe541ac5e1d320cca4c6063512955a062de3d458473b5fa3bdd35a28d3c3a672888e72fe4d3cf98b6db6be3f35c1827c0c32584dc8cf5c7f7efd404b
-
SSDEEP
768:u01gBqQWAZGc8NnKwiQFNof+OmTXP9aTaSkFs:enqNnKw1OEXP92ao
Static task
static1
Behavioral task
behavioral1
Sample
Transaction Advice_280324-WS-394-1247.vbe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Transaction Advice_280324-WS-394-1247.vbe
Resource
win10v2004-20240226-en
Malware Config
Extracted
Protocol: smtp- Host:
mail.inkomech.com - Port:
587 - Username:
amir.hussin@inkomech.com - Password:
Amir@2021
Extracted
agenttesla
Protocol: smtp- Host:
mail.inkomech.com - Port:
587 - Username:
amir.hussin@inkomech.com - Password:
Amir@2021 - Email To:
williamslucy570@gmail.com
Targets
-
-
Target
Transaction Advice_280324-WS-394-1247.vbe
-
Size
37KB
-
MD5
59200834d1f2d2e7bab5ba30673d4cfc
-
SHA1
b6bbf692dd8d9be2e3a0aff8ebee2cc45c072c50
-
SHA256
27246335d057b1f5bcaafd4655ad328b24400b2337801ae27695558484695419
-
SHA512
c387442afe541ac5e1d320cca4c6063512955a062de3d458473b5fa3bdd35a28d3c3a672888e72fe4d3cf98b6db6be3f35c1827c0c32584dc8cf5c7f7efd404b
-
SSDEEP
768:u01gBqQWAZGc8NnKwiQFNof+OmTXP9aTaSkFs:enqNnKw1OEXP92ao
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-