General
-
Target
23042024_2336_23042024_invoice.pdf.gz
-
Size
26KB
-
Sample
240423-s1612she72
-
MD5
0edbe4c141c8b3ffab17465a96219aac
-
SHA1
674554e88fac6613228a6e5b230f1728c3a03371
-
SHA256
241d4f757582f0926e588a35c563b9fd8acedd024282ed49ea59ea883334c366
-
SHA512
75989e4bbe77c061bd1afc24199d54119d6240e46a3b60b24da7c797d3f0233f590ee38953873356182796537705677c3672a13840e1c095b1e8b85e422d996d
-
SSDEEP
384:jCbpa/04KPgloswNEHqBwjPDzH6bgPJs4WivjE2oI5WXxeeUL29CKSgALDfen4u8:0a/04llZL+wzHxRvtF8BewZShe5eNLIq
Static task
static1
Behavioral task
behavioral1
Sample
invoice pdf.wsf
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
invoice pdf.wsf
Resource
win10v2004-20240226-en
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.concaribe.com - Port:
21 - Username:
[email protected] - Password:
ro}UWgz#!38E
Targets
-
-
Target
invoice pdf.wsf
-
Size
54KB
-
MD5
5f34914e10cbab186d1b209265e2ea51
-
SHA1
61e57fe5b455954d5727748e8b9046d3d558bc6f
-
SHA256
cd80d457405b27e9c6834f4d3e952fb3739bec5c4839e53dca134d5885d21438
-
SHA512
7ec53b06de022504e3495fd5976cc370a6910cbb7ee96ca7564b0b9c3d370140b3b15dd59652b37ff89ea8edc40700010b09c89425b786a514102c221d870cce
-
SSDEEP
768:iBT2p/fwNaKj7gHrI0i3wPDPM+A0s2hyOX0Q4afFysrmUYAYB8nq7ralHdYiShF:iBgukLI1gPDPTxyk0MfFCNqnrHdKhF
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-