General
-
Target
65cba6ef850c80b260bf2be5f87384fe6d34d53c9198591311aa089b6ed5e21c.vbs
-
Size
177KB
-
Sample
240511-kjftjahd3v
-
MD5
ddb01403abe1313b61a528b397dd11fe
-
SHA1
a15d8db2464514fad90fbb75337330583ff76b3f
-
SHA256
65cba6ef850c80b260bf2be5f87384fe6d34d53c9198591311aa089b6ed5e21c
-
SHA512
2d8f322fc766046fba5aeab33b4a491d24833cc4cde65943cdbeb84aefbeb7893e876c917b0f9b1ac9578aef1a1051028be01a2a712d7d18029264325ba11024
-
SSDEEP
1536:ben2+mzXdnRYwpd99CObidCocEW1aJK66n5yhtW0/5JpWn4cVIg0BfbUZlu9gISj:1pdI9JK6X/vceg0Bfc7
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.folder.ro - Port:
21 - Username:
[email protected] - Password:
R2r76%(3v^H0
Targets
-
-
Target
65cba6ef850c80b260bf2be5f87384fe6d34d53c9198591311aa089b6ed5e21c.vbs
-
Size
177KB
-
MD5
ddb01403abe1313b61a528b397dd11fe
-
SHA1
a15d8db2464514fad90fbb75337330583ff76b3f
-
SHA256
65cba6ef850c80b260bf2be5f87384fe6d34d53c9198591311aa089b6ed5e21c
-
SHA512
2d8f322fc766046fba5aeab33b4a491d24833cc4cde65943cdbeb84aefbeb7893e876c917b0f9b1ac9578aef1a1051028be01a2a712d7d18029264325ba11024
-
SSDEEP
1536:ben2+mzXdnRYwpd99CObidCocEW1aJK66n5yhtW0/5JpWn4cVIg0BfbUZlu9gISj:1pdI9JK6X/vceg0Bfc7
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-