Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
JUSTIFICANTE DE PAGO.vbs
-
Size
210KB
-
Sample
240415-k2177adb7w
-
MD5
5c629502f5f297b1473c1288daef4815
-
SHA1
c1339b52ef4f18e1bc269d928bbf85387d17b3e4
-
SHA256
f0faf14409482a52de11a52384c0a7dd0067f13f7063d61fe400e0a5cbf5df8d
-
SHA512
e4f7951973b8a19231acd3afca20ea0a4dc479d039cef2a5634cacefad9261006bfbea7288d444725cfb7e8e5aa9f33891779d68fa393fe0b60404b7a6664ec2
-
SSDEEP
6144:iYBgIjQvrMbWSR4WHUJJs9E87Fy4lZrUChpqKmjum4QlNVrDjXR46cCPCRJfcqNZ:X2dOtzRn
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.cash4cars.nz - Port:
587 - Username:
[email protected] - Password:
logs2024! - Email To:
[email protected]
Targets
-
-
Target
JUSTIFICANTE DE PAGO.vbs
-
Size
210KB
-
MD5
5c629502f5f297b1473c1288daef4815
-
SHA1
c1339b52ef4f18e1bc269d928bbf85387d17b3e4
-
SHA256
f0faf14409482a52de11a52384c0a7dd0067f13f7063d61fe400e0a5cbf5df8d
-
SHA512
e4f7951973b8a19231acd3afca20ea0a4dc479d039cef2a5634cacefad9261006bfbea7288d444725cfb7e8e5aa9f33891779d68fa393fe0b60404b7a6664ec2
-
SSDEEP
6144:iYBgIjQvrMbWSR4WHUJJs9E87Fy4lZrUChpqKmjum4QlNVrDjXR46cCPCRJfcqNZ:X2dOtzRn
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-