General
-
Target
eveningxla.vbs
-
Size
63KB
-
Sample
240426-mg4hxsed9z
-
MD5
afb1700ff68839cbd3adcd18fa90e6b5
-
SHA1
234f61155f8a5171de0882461901a79d2cd70e63
-
SHA256
d70c06f043e7879d2a49b5007497e280da5a30415f6e1c764355dc890afe7201
-
SHA512
2dc5154f7f20815c5af04f3d2099cb41c0119d7e8606c5e45a716770724a44e746e461a16bc3940ca0034699959930db4c820ca4caeb48ae1e9d921335417da0
-
SSDEEP
384:FZAaML0UXP2ur2HYnpMNwZIRpu/kO6jM1L7Kc0ZiEXJg:7xO2u1iNwZIRg/kOq9ZRZg
Static task
static1
Behavioral task
behavioral1
Sample
eveningxla.vbs
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
eveningxla.vbs
Resource
win10v2004-20240419-en
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.fosna.net - Port:
21 - Username:
madamweb@fosna.net - Password:
=A+N^@~c]~#I
Targets
-
-
Target
eveningxla.vbs
-
Size
63KB
-
MD5
afb1700ff68839cbd3adcd18fa90e6b5
-
SHA1
234f61155f8a5171de0882461901a79d2cd70e63
-
SHA256
d70c06f043e7879d2a49b5007497e280da5a30415f6e1c764355dc890afe7201
-
SHA512
2dc5154f7f20815c5af04f3d2099cb41c0119d7e8606c5e45a716770724a44e746e461a16bc3940ca0034699959930db4c820ca4caeb48ae1e9d921335417da0
-
SSDEEP
384:FZAaML0UXP2ur2HYnpMNwZIRpu/kO6jM1L7Kc0ZiEXJg:7xO2u1iNwZIRg/kOq9ZRZg
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-