General

  • Target

    e2eb2639ee439ad5cca4736f1cbc7eaf53871480cc92852ee6832b51c8e10b15.vbs

  • Size

    14KB

  • Sample

    240605-cxh7tacc85

  • MD5

    90515752d3c0c63e9d1ab4df85585923

  • SHA1

    bafd7fc8f7f1286e43dbb9aec38d4659215581c7

  • SHA256

    e2eb2639ee439ad5cca4736f1cbc7eaf53871480cc92852ee6832b51c8e10b15

  • SHA512

    7b954cdffaa1046ddf75a01ba95855f712b9d2e3e3f5f7c66fa56364c730aae76e4dd4d667113c7ef208a0177ced23466c77f02365d97c4453999da0d1f6179f

  • SSDEEP

    384:uca7f8sc8MNQEgDnSpmCJMhfJBPPx3IuoCI0:urf8P8xjsmoglPkz0

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot2130601984:AAFbq9oRuTM0trTEQbxU_lfoBZ4A2S2DeD8/

Targets

    • Target

      e2eb2639ee439ad5cca4736f1cbc7eaf53871480cc92852ee6832b51c8e10b15.vbs

    • Size

      14KB

    • MD5

      90515752d3c0c63e9d1ab4df85585923

    • SHA1

      bafd7fc8f7f1286e43dbb9aec38d4659215581c7

    • SHA256

      e2eb2639ee439ad5cca4736f1cbc7eaf53871480cc92852ee6832b51c8e10b15

    • SHA512

      7b954cdffaa1046ddf75a01ba95855f712b9d2e3e3f5f7c66fa56364c730aae76e4dd4d667113c7ef208a0177ced23466c77f02365d97c4453999da0d1f6179f

    • SSDEEP

      384:uca7f8sc8MNQEgDnSpmCJMhfJBPPx3IuoCI0:urf8P8xjsmoglPkz0

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks