General
-
Target
transferencia.vbs
-
Size
8KB
-
Sample
240424-fdy1psfa91
-
MD5
2fe770d33d2914604cd6de9de6269115
-
SHA1
7a51a354de5c553a3ef37536446e445f173bf2eb
-
SHA256
7b9738b373aa1ff75b5834b737b574679ad0485eb74910477c7dd00f2ee412c2
-
SHA512
f956e4fc29fc41e9a102e1fe693bd1f86e8bc5964b8c4e188e0da4325a57304ca372a3eb260a7fd9c50ca1ea6a2e92a0f2384b40590bfe26f3bbae717b73e31e
-
SSDEEP
192:H1uvVpXicw7DQ6cpp9S1INK5gdvYciPC5Eswi62dHZXc9dtvGGEWyoLQYR:H1e7icpp9SW0eycWCTwilXc9dtvGpWNR
Static task
static1
Behavioral task
behavioral1
Sample
transferencia.vbs
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
transferencia.vbs
Resource
win10v2004-20240226-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.cash4cars.nz - Port:
587 - Username:
logs@cash4cars.nz - Password:
logs2024! - Email To:
anyaegbu.kay@gmail.com
Targets
-
-
Target
transferencia.vbs
-
Size
8KB
-
MD5
2fe770d33d2914604cd6de9de6269115
-
SHA1
7a51a354de5c553a3ef37536446e445f173bf2eb
-
SHA256
7b9738b373aa1ff75b5834b737b574679ad0485eb74910477c7dd00f2ee412c2
-
SHA512
f956e4fc29fc41e9a102e1fe693bd1f86e8bc5964b8c4e188e0da4325a57304ca372a3eb260a7fd9c50ca1ea6a2e92a0f2384b40590bfe26f3bbae717b73e31e
-
SSDEEP
192:H1uvVpXicw7DQ6cpp9S1INK5gdvYciPC5Eswi62dHZXc9dtvGGEWyoLQYR:H1e7icpp9SW0eycWCTwilXc9dtvGpWNR
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-