General
-
Target
overdue_invoice.ace
-
Size
7KB
-
Sample
240603-jxac8shh67
-
MD5
f50aee74fcda3ea10ee3c2f5d3d75662
-
SHA1
3a506a6f221ba531b66632670978efddd2be959d
-
SHA256
5bda2e2623e9c30c9571c974005206a3ebd4e66009069f0105597a9449ff7c57
-
SHA512
8785aaaff66d5d9b3ed56ba8e1da72cc3aada04a7524f5eacb5f9d45fae01792454ac5e922ea318fb8c76419d592fc751f67c1c1a54c64b7b141110df6074e70
-
SSDEEP
192:+mBbxe59xTzGyNye05wSi++MY5uNAZN54JA24gZeC33hlSYzLoBX:+my5rzF792+MIuNAZNCJoZCHh8V
Static task
static1
Behavioral task
behavioral1
Sample
overdue_invoice.vbs
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
overdue_invoice.vbs
Resource
win10v2004-20240508-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.defenber.com - Port:
587 - Username:
[email protected] - Password:
X8hhdzc})RSz - Email To:
[email protected]
Targets
-
-
Target
overdue_invoice.vbs
-
Size
15KB
-
MD5
7078829e255df55f25a8bcaa9bdaffb4
-
SHA1
1bcacd12305661a2dedecb4eb6f8ad57ae5d672e
-
SHA256
d16ea5d6d40c9020b99032eaefab9b62f3c63bae12d24103a6b10ac5a2dcd34c
-
SHA512
4d56cc648febb1c0dceb44e41415cb30a9e975997f5d3fa67b97e2a039d6068f383e285daeb39b50eb0b18bd1a1c5c102544f2670e54e3109cff74d6268e1495
-
SSDEEP
192:ulJUFFdUTxfDs+rHw7FEFggnliEWHxg40HG5Q6MkouP0L3gwJSi3qMFP6WPS6vMy:ulCHkxNrHwhEjiIvkJ8LJRY4Er8saQa
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-