General
-
Target
80d66a927ede02982222ad5ec0b000e0ee696476724d480980d6a4009a59ddb9.vbs
-
Size
296KB
-
Sample
240430-bx9t4agd78
-
MD5
b6c156a6ddcc914249b7316bd49401e9
-
SHA1
16feeb332df9a7d664a548cfcf2c5ae79878ae08
-
SHA256
80d66a927ede02982222ad5ec0b000e0ee696476724d480980d6a4009a59ddb9
-
SHA512
dd6e13dce798e1820403cb2922c7d69894cd44d064dca32c8876165df34eebd3331b72e1f3b0bbd83585d9b9830ecfe7f06fd1daca8f9ecf38f59c31e69028bb
-
SSDEEP
6144:2c7tvCwj2O9lT+TIvZCoJZP2xwrpuHeAFUhhmPhLkJRY:vKwRwkImzs/Mh2gJ6
Static task
static1
Behavioral task
behavioral1
Sample
80d66a927ede02982222ad5ec0b000e0ee696476724d480980d6a4009a59ddb9.vbs
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
80d66a927ede02982222ad5ec0b000e0ee696476724d480980d6a4009a59ddb9.vbs
Resource
win10v2004-20240226-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
proglass.com.sg - Port:
587 - Username:
[email protected] - Password:
BillionPay$ - Email To:
[email protected]
Targets
-
-
Target
80d66a927ede02982222ad5ec0b000e0ee696476724d480980d6a4009a59ddb9.vbs
-
Size
296KB
-
MD5
b6c156a6ddcc914249b7316bd49401e9
-
SHA1
16feeb332df9a7d664a548cfcf2c5ae79878ae08
-
SHA256
80d66a927ede02982222ad5ec0b000e0ee696476724d480980d6a4009a59ddb9
-
SHA512
dd6e13dce798e1820403cb2922c7d69894cd44d064dca32c8876165df34eebd3331b72e1f3b0bbd83585d9b9830ecfe7f06fd1daca8f9ecf38f59c31e69028bb
-
SSDEEP
6144:2c7tvCwj2O9lT+TIvZCoJZP2xwrpuHeAFUhhmPhLkJRY:vKwRwkImzs/Mh2gJ6
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4.
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects executables referencing Windows vault credential objects. Observed in infostealers
-
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
-
Detects executables referencing many email and collaboration clients. Observed in information stealers
-
Detects executables referencing many file transfer clients. Observed in information stealers
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-