General
-
Target
Purchase.vbs
-
Size
105KB
-
Sample
240418-lwnwcaah8v
-
MD5
09306e3d4884937ef15a686ee4aa1412
-
SHA1
dbdd7b1b1829232b4ff385fa5b98b5c3d7553fe2
-
SHA256
126e8204b6044a3bdb1d885cc462376377a3165d2c572de086baaa715f49ae9e
-
SHA512
9bf6ef2011b3d162142df67496e844d49f12ada62d5c0545070eb43034a01ee7cc3197e21448c70c1b0d918f773e6ef89940c3198288298c93ed36f5cf08fb22
-
SSDEEP
3072:C7UtxD30yAV1bePHvAVXJLlkGYmp47L+7OpkPWa2Ot:C7Utl0yAvbePHvAtJLlbJp47LSABa2Ot
Static task
static1
Behavioral task
behavioral1
Sample
Purchase.vbs
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Purchase.vbs
Resource
win10v2004-20240412-en
Malware Config
Extracted
Protocol: smtp- Host:
boydjackson.org - Port:
587 - Username:
[email protected] - Password:
Bukky101@
Extracted
agenttesla
Protocol: smtp- Host:
boydjackson.org - Port:
587 - Username:
[email protected] - Password:
Bukky101@ - Email To:
[email protected]
Targets
-
-
Target
Purchase.vbs
-
Size
105KB
-
MD5
09306e3d4884937ef15a686ee4aa1412
-
SHA1
dbdd7b1b1829232b4ff385fa5b98b5c3d7553fe2
-
SHA256
126e8204b6044a3bdb1d885cc462376377a3165d2c572de086baaa715f49ae9e
-
SHA512
9bf6ef2011b3d162142df67496e844d49f12ada62d5c0545070eb43034a01ee7cc3197e21448c70c1b0d918f773e6ef89940c3198288298c93ed36f5cf08fb22
-
SSDEEP
3072:C7UtxD30yAV1bePHvAVXJLlkGYmp47L+7OpkPWa2Ot:C7Utl0yAvbePHvAtJLlbJp47LSABa2Ot
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-