General

  • Target

    Purchase.vbs

  • Size

    105KB

  • Sample

    240418-lwnwcaah8v

  • MD5

    09306e3d4884937ef15a686ee4aa1412

  • SHA1

    dbdd7b1b1829232b4ff385fa5b98b5c3d7553fe2

  • SHA256

    126e8204b6044a3bdb1d885cc462376377a3165d2c572de086baaa715f49ae9e

  • SHA512

    9bf6ef2011b3d162142df67496e844d49f12ada62d5c0545070eb43034a01ee7cc3197e21448c70c1b0d918f773e6ef89940c3198288298c93ed36f5cf08fb22

  • SSDEEP

    3072:C7UtxD30yAV1bePHvAVXJLlkGYmp47L+7OpkPWa2Ot:C7Utl0yAvbePHvAtJLlbJp47LSABa2Ot

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    boydjackson.org
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Bukky101@

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      Purchase.vbs

    • Size

      105KB

    • MD5

      09306e3d4884937ef15a686ee4aa1412

    • SHA1

      dbdd7b1b1829232b4ff385fa5b98b5c3d7553fe2

    • SHA256

      126e8204b6044a3bdb1d885cc462376377a3165d2c572de086baaa715f49ae9e

    • SHA512

      9bf6ef2011b3d162142df67496e844d49f12ada62d5c0545070eb43034a01ee7cc3197e21448c70c1b0d918f773e6ef89940c3198288298c93ed36f5cf08fb22

    • SSDEEP

      3072:C7UtxD30yAV1bePHvAVXJLlkGYmp47L+7OpkPWa2Ot:C7Utl0yAvbePHvAtJLlbJp47LSABa2Ot

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks