General
-
Target
88bfeceeb200400bc9279d710f24d6afae6297f6e702fb45075962acf0d7edd1
-
Size
216KB
-
Sample
240518-j9mjbsbe6z
-
MD5
cd9ed63566302e6380bb39d26d3094c3
-
SHA1
ceb5af2c40b9d3449c9a11e98d611816895c5ade
-
SHA256
88bfeceeb200400bc9279d710f24d6afae6297f6e702fb45075962acf0d7edd1
-
SHA512
f2c479a355d2867eb23403297e32f3c5cf45aeb85bdd991a0f9c67df11447f860f6c050ccb0d537b309ba596cc7f3ff551ac60584929a5649acf8cb1cf9e7098
-
SSDEEP
6144:f41LCp1C9lEDVPtos9HbgrqtplNoinOwOM:osCGDVC6kG3Luw7
Static task
static1
Behavioral task
behavioral1
Sample
89dad71e8e344e1153817f221f9acf44bddb75941adae5c17a92a461ae1e8424.vbs
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
89dad71e8e344e1153817f221f9acf44bddb75941adae5c17a92a461ae1e8424.vbs
Resource
win10v2004-20240426-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.connectdots.my - Port:
587 - Username:
[email protected] - Password:
Colony5157! - Email To:
[email protected]
Targets
-
-
Target
89dad71e8e344e1153817f221f9acf44bddb75941adae5c17a92a461ae1e8424.vbs
-
Size
428KB
-
MD5
b0e796537c6e8d5afd5d7bb3ae79966e
-
SHA1
e590f3960ecc0addee9261c0a3619273ae31acc0
-
SHA256
89dad71e8e344e1153817f221f9acf44bddb75941adae5c17a92a461ae1e8424
-
SHA512
75da68f2a5a4ed08d86485c43524a4fbfc8ffcfbb05dda7d561f07a535f94ccdb7843480754818bfb07524d10bdbb68dbe54ed4b5576cb3e1aa5c7cb2cd29d26
-
SSDEEP
6144:/R4t1fXGwzkAitPzmeI9OQYypkHkSVdtxQ+5iYgbAL0WMhw19+z0yhtHn9eq/+4o:/uJv0ayfOb64MRycngoavbN0vBrbu5+
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-