Overview

overview

10

Static

static

1

43680d1525...15.vbs

windows7-x64

10

43680d1525...15.vbs

windows10-2004-x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    43680d15253c03c6df241c645523de164cc2ff21270b241f6e21cbde83b07015

  • Size

    12KB

  • Sample

    240427-b1tx2sgc99

  • MD5

    3e09dac22349c76c2589dd38c7c3c6c3

  • SHA1

    74852521e1b3ccc8150d30fa53f1dfd3dca97849

  • SHA256

    43680d15253c03c6df241c645523de164cc2ff21270b241f6e21cbde83b07015

  • SHA512

    04b225dfa304554189c90e55a56051e1f6d9588acf2da3c4b0160c13ceb2f8b4edd73b0c0fbaf671e64decadd09fbc4441d09bca11e44f90661f58a7acb6c3cf

  • SSDEEP

    384:+J9BHkNV436k6UqgoAu7d+mU5G6ix3nMR7H+bCRJOVpPgRcVNeb9Skk0YA7J:xV+/zqga7gP5Glx3nMRq2OVZgQkk0YK

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.controlfire.com.mx
  • Port:
    587
  • Username:
    apama@controlfire.com.mx
  • Password:
    [;E4nNUMlscW
  • Email To:
    apama_reports@controlfire.com.mx

Targets

    • Target

      43680d15253c03c6df241c645523de164cc2ff21270b241f6e21cbde83b07015

    • Size

      12KB

    • MD5

      3e09dac22349c76c2589dd38c7c3c6c3

    • SHA1

      74852521e1b3ccc8150d30fa53f1dfd3dca97849

    • SHA256

      43680d15253c03c6df241c645523de164cc2ff21270b241f6e21cbde83b07015

    • SHA512

      04b225dfa304554189c90e55a56051e1f6d9588acf2da3c4b0160c13ceb2f8b4edd73b0c0fbaf671e64decadd09fbc4441d09bca11e44f90661f58a7acb6c3cf

    • SSDEEP

      384:+J9BHkNV436k6UqgoAu7d+mU5G6ix3nMR7H+bCRJOVpPgRcVNeb9Skk0YA7J:xV+/zqga7gP5Glx3nMRq2OVZgQkk0YK

    Score
    10/10
    agentteslakeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks