Overview

overview

10

Static

static

1

eveningxla.vbs

windows7-x64

10

eveningxla.vbs

windows10-2004-x64

6

Sharing

Copy URL
Twitter E-mail

General

  • Target

    eveningxla.vbs

  • Size

    63KB

  • Sample

    240426-mg4hxsed9z

  • MD5

    afb1700ff68839cbd3adcd18fa90e6b5

  • SHA1

    234f61155f8a5171de0882461901a79d2cd70e63

  • SHA256

    d70c06f043e7879d2a49b5007497e280da5a30415f6e1c764355dc890afe7201

  • SHA512

    2dc5154f7f20815c5af04f3d2099cb41c0119d7e8606c5e45a716770724a44e746e461a16bc3940ca0034699959930db4c820ca4caeb48ae1e9d921335417da0

  • SSDEEP

    384:FZAaML0UXP2ur2HYnpMNwZIRpu/kO6jM1L7Kc0ZiEXJg:7xO2u1iNwZIRg/kOq9ZRZg

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.fosna.net
  • Port:
    21
  • Username:
    madamweb@fosna.net
  • Password:
    =A+N^@~c]~#I

Targets

    • Target

      eveningxla.vbs

    • Size

      63KB

    • MD5

      afb1700ff68839cbd3adcd18fa90e6b5

    • SHA1

      234f61155f8a5171de0882461901a79d2cd70e63

    • SHA256

      d70c06f043e7879d2a49b5007497e280da5a30415f6e1c764355dc890afe7201

    • SHA512

      2dc5154f7f20815c5af04f3d2099cb41c0119d7e8606c5e45a716770724a44e746e461a16bc3940ca0034699959930db4c820ca4caeb48ae1e9d921335417da0

    • SSDEEP

      384:FZAaML0UXP2ur2HYnpMNwZIRpu/kO6jM1L7Kc0ZiEXJg:7xO2u1iNwZIRg/kOq9ZRZg

    Score
    10/10
    agentteslakeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Blocklisted process makes network request

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks