General
-
Target
cc706991e70caa76595bf08fc59bc6a1.bin
-
Size
109KB
-
Sample
240418-cdc7fsga86
-
MD5
3b264a4c768859db3fbe8ab7b54520e4
-
SHA1
66de4785b8d68025b081844e00e85d8a8f8edc4d
-
SHA256
6f6d4b1afc18eb8aeb857b3b6d36fc5d8218a0ab159d042891bfecf47eccaba5
-
SHA512
452b5f629a6a2175bac0c8be9da34134e90874f1724042472d0b78f5e6ece00d046b89ff0c6a58dd9aa5dbebf284e39ac00b6abff42b09f3859a10f8e6fb2cd7
-
SSDEEP
3072:O4nSrdnwxE4GS9eHcrepRSOSyQAmdeqA7C2G8xFA:bxQ4eHA8RSuQASc7C4A
Static task
static1
Behavioral task
behavioral1
Sample
26b773de9b887b31c238e4baf440618acce9e0a277c3ebefd5e0c26f61a8e53c.vbs
Resource
win7-20240319-en
Behavioral task
behavioral2
Sample
26b773de9b887b31c238e4baf440618acce9e0a277c3ebefd5e0c26f61a8e53c.vbs
Resource
win10v2004-20240412-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.bresciagrameen.lk - Port:
587 - Username:
info@bresciagrameen.lk - Password:
#S413vT0u45# - Email To:
officejay@yandex.com
Targets
-
-
Target
26b773de9b887b31c238e4baf440618acce9e0a277c3ebefd5e0c26f61a8e53c.vbs
-
Size
210KB
-
MD5
cc706991e70caa76595bf08fc59bc6a1
-
SHA1
1172135bb6eafef9633db0ae5f818366a1515e8a
-
SHA256
26b773de9b887b31c238e4baf440618acce9e0a277c3ebefd5e0c26f61a8e53c
-
SHA512
3528e82039587e51e9d2e96a99f76941e4077161a3782b3fe4fd0cb7d7f2125a0844554e77c6de7408a0ee3da02e487ec1746465c9f0a3c30222e78a1093e476
-
SSDEEP
6144:DYBgIjQvrMbWSR4WHUJJs9E87Fy4lZrUChpqKmjum4QlNVrDjXR46cCPCRJfkqZD:A2dOB2mTJ
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-