General

  • Target

    detalle_transferencia_2024-05-13T064143.173 0200_3049280002017526_PDF.vbs

  • Size

    156KB

  • Sample

    240515-l1q69scd28

  • MD5

    af4988727a30510d3be9d7404adaefa3

  • SHA1

    cd1f3c4379a535b47172a48b4aaecc63763ad253

  • SHA256

    db31131e1d0ee7cbad33e28f61c55867ade268fcbf780516f08565498ce6f527

  • SHA512

    0e97a3324de0a7d4c07716f62e54bc6b5b1f66cbc8b72f76a99ac1c277a76be99e30ee04f28990bc901e520242df68d4c1df02bca7947cafdfba0dcd6110f4cf

  • SSDEEP

    1536:X2yd99CObitCocEW1aJK66n5yhtW0/5JpWn4ctYg0BCbUZlu9gISsRL:GydI9JK6X/vc2g0BCcU

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      detalle_transferencia_2024-05-13T064143.173 0200_3049280002017526_PDF.vbs

    • Size

      156KB

    • MD5

      af4988727a30510d3be9d7404adaefa3

    • SHA1

      cd1f3c4379a535b47172a48b4aaecc63763ad253

    • SHA256

      db31131e1d0ee7cbad33e28f61c55867ade268fcbf780516f08565498ce6f527

    • SHA512

      0e97a3324de0a7d4c07716f62e54bc6b5b1f66cbc8b72f76a99ac1c277a76be99e30ee04f28990bc901e520242df68d4c1df02bca7947cafdfba0dcd6110f4cf

    • SSDEEP

      1536:X2yd99CObitCocEW1aJK66n5yhtW0/5JpWn4ctYg0BCbUZlu9gISsRL:GydI9JK6X/vc2g0BCcU

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks