General

  • Target

    Doc09876545678.vbs

  • Size

    14KB

  • Sample

    240603-hj7k5sgd53

  • MD5

    494d78b928788a22fb2114e977a65aa3

  • SHA1

    f45fbbacb8fbda4f1e87f2b4d354294aa58e5d22

  • SHA256

    af46cfe7a8d2968846d0ae4ea5b3b36f91f37cf4195f781155e95c4e20696f85

  • SHA512

    cb04906f798259528f922439d8ff1e5dabd989b53b2fc4b19c8d9c1663fbaf40a504d8dd0d2592cbf12048ec0e80dde27dbff4dd9cf5e2974a1714fb0748856c

  • SSDEEP

    384:uZ4/lDtFSJhFdLCygqhKSYVg7ThfMbfj9wsH:ucDtFSJpLlKSAg7VfsBx

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      Doc09876545678.vbs

    • Size

      14KB

    • MD5

      494d78b928788a22fb2114e977a65aa3

    • SHA1

      f45fbbacb8fbda4f1e87f2b4d354294aa58e5d22

    • SHA256

      af46cfe7a8d2968846d0ae4ea5b3b36f91f37cf4195f781155e95c4e20696f85

    • SHA512

      cb04906f798259528f922439d8ff1e5dabd989b53b2fc4b19c8d9c1663fbaf40a504d8dd0d2592cbf12048ec0e80dde27dbff4dd9cf5e2974a1714fb0748856c

    • SSDEEP

      384:uZ4/lDtFSJhFdLCygqhKSYVg7ThfMbfj9wsH:ucDtFSJpLlKSAg7VfsBx

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks