General
-
Target
87d1bfd390c7869ca1d8d98727246762d3b6eee720b4f1d20be8054c0008704d.rar
-
Size
28KB
-
Sample
240424-bz1dfadg64
-
MD5
d0af3f330e823bcb8c9f537ecca6bea4
-
SHA1
27accdb53c6ad7cd059347f0296eb942b7d7e738
-
SHA256
87d1bfd390c7869ca1d8d98727246762d3b6eee720b4f1d20be8054c0008704d
-
SHA512
cbba0ab3283ccd7ab8c7b50e7ad2c3094ec4326f84e33e0c64a0d4bc715a2f21c7d4d5204e3a152479610084493701b2fceebd436b0cb4fb946e96398479f4c2
-
SSDEEP
384:jZbbb73FwmGF6jLTfEzjknnCsotb8HA7P7q9yZI+LdvhUtYuE61oLMoBPujmHFGq:Fb7FwV8DEYMhQQZNVhUWUoL5SSGho
Static task
static1
Behavioral task
behavioral1
Sample
DHL_RF_20200712_BN_OTN 0095673441.vbs
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
DHL_RF_20200712_BN_OTN 0095673441.vbs
Resource
win10v2004-20240412-en
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.concaribe.com - Port:
21 - Username:
[email protected] - Password:
@Ixk.X0Q&I?d
Targets
-
-
Target
DHL_RF_20200712_BN_OTN 0095673441.vbs
-
Size
59KB
-
MD5
a2b0a8025751c0f356eddece9a63e4b2
-
SHA1
bf2d1d20bdd65dc431ae106081d879c6d5ca4ac0
-
SHA256
40ab2fb30af697ac782ea1609c0488bcaef61dbd1c10f7f851bc19ff1f4764a6
-
SHA512
a55badf1a5d856875a8a123de1d335593668fbcbb546cfe709166674a39be9c582ccb1b159dce08289161132979a9d896903c884c7569502c997191e7e07d2ab
-
SSDEEP
768:sP72p/fwNaKj7gHrI0i3wPDPM+A0s2hyOX0Q4afFysrmUYAYB8nq7rPxQyzhgf7:sAukLI1gPDPTxyk0MfFCNqnZ46f7
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4.
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects executables referencing Windows vault credential objects. Observed in infostealers
-
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
-
Detects executables referencing many email and collaboration clients. Observed in information stealers
-
Detects executables referencing many file transfer clients. Observed in information stealers
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-