General
-
Target
f11b56ca9ac99ec656399985c385196dce655113485a50db2ace30408bd48c6f
-
Size
12KB
-
Sample
240426-cdq4bahb79
-
MD5
a8b90bae64a6f7636b9acbd7da84a4f2
-
SHA1
a46c220453f2f666fc59dd82511e30ca33739f9e
-
SHA256
f11b56ca9ac99ec656399985c385196dce655113485a50db2ace30408bd48c6f
-
SHA512
53ff726b09b6ac2dea5d6fb451a71b8d315922350e1d5b93e896ddc3ec6d9fe28005d5791ea697d88839ccb9718fc088cee6de8d5fe62294bab71db70fd7e8dc
-
SSDEEP
384:Rt0TtFVEQX0XQxrosHMd+m8mGbmO3jrRyH+uyRErVpPgR5VN1b5P7wJx:UVVEAxr/MgHmGqO3jrR5ROV2v92
Static task
static1
Behavioral task
behavioral1
Sample
f11b56ca9ac99ec656399985c385196dce655113485a50db2ace30408bd48c6f.vbs
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
f11b56ca9ac99ec656399985c385196dce655113485a50db2ace30408bd48c6f.vbs
Resource
win10v2004-20240412-en
Malware Config
Extracted
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
vicmann@treyfix.xyz - Password:
vicman101
Extracted
agenttesla
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
vicmann@treyfix.xyz - Password:
vicman101 - Email To:
sender@treyfix.xyz
Targets
-
-
Target
f11b56ca9ac99ec656399985c385196dce655113485a50db2ace30408bd48c6f
-
Size
12KB
-
MD5
a8b90bae64a6f7636b9acbd7da84a4f2
-
SHA1
a46c220453f2f666fc59dd82511e30ca33739f9e
-
SHA256
f11b56ca9ac99ec656399985c385196dce655113485a50db2ace30408bd48c6f
-
SHA512
53ff726b09b6ac2dea5d6fb451a71b8d315922350e1d5b93e896ddc3ec6d9fe28005d5791ea697d88839ccb9718fc088cee6de8d5fe62294bab71db70fd7e8dc
-
SSDEEP
384:Rt0TtFVEQX0XQxrosHMd+m8mGbmO3jrRyH+uyRErVpPgR5VN1b5P7wJx:UVVEAxr/MgHmGqO3jrR5ROV2v92
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-