Overview

overview

10

Static

static

1

Transactio...47.vbe

windows7-x64

10

Transactio...47.vbe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Transaction Advice_280324-WS-394-1247.vbe

  • Size

    37KB

  • Sample

    240328-xamlyaeb77

  • MD5

    59200834d1f2d2e7bab5ba30673d4cfc

  • SHA1

    b6bbf692dd8d9be2e3a0aff8ebee2cc45c072c50

  • SHA256

    27246335d057b1f5bcaafd4655ad328b24400b2337801ae27695558484695419

  • SHA512

    c387442afe541ac5e1d320cca4c6063512955a062de3d458473b5fa3bdd35a28d3c3a672888e72fe4d3cf98b6db6be3f35c1827c0c32584dc8cf5c7f7efd404b

  • SSDEEP

    768:u01gBqQWAZGc8NnKwiQFNof+OmTXP9aTaSkFs:enqNnKw1OEXP92ao

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.inkomech.com
  • Port:
    587
  • Username:
    amir.hussin@inkomech.com
  • Password:
    Amir@2021

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.inkomech.com
  • Port:
    587
  • Username:
    amir.hussin@inkomech.com
  • Password:
    Amir@2021
  • Email To:
    williamslucy570@gmail.com

Targets

    • Target

      Transaction Advice_280324-WS-394-1247.vbe

    • Size

      37KB

    • MD5

      59200834d1f2d2e7bab5ba30673d4cfc

    • SHA1

      b6bbf692dd8d9be2e3a0aff8ebee2cc45c072c50

    • SHA256

      27246335d057b1f5bcaafd4655ad328b24400b2337801ae27695558484695419

    • SHA512

      c387442afe541ac5e1d320cca4c6063512955a062de3d458473b5fa3bdd35a28d3c3a672888e72fe4d3cf98b6db6be3f35c1827c0c32584dc8cf5c7f7efd404b

    • SSDEEP

      768:u01gBqQWAZGc8NnKwiQFNof+OmTXP9aTaSkFs:enqNnKw1OEXP92ao

    Score
    10/10
    agentteslakeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks