General

  • Target

    e1c9b3850958c21be6108aa28a28f7b8f059a0530db99c587fadef7801fa4319.vbs

  • Size

    15KB

  • Sample

    240605-sk8vpsae5s

  • MD5

    d81e427713a8533aca1a8381056e6329

  • SHA1

    ec0212bc9ee40b1d8ad371fb8d26ec83c14cb1b0

  • SHA256

    e1c9b3850958c21be6108aa28a28f7b8f059a0530db99c587fadef7801fa4319

  • SHA512

    76d6420a4052e6d8ef1eaa1f7e6501275487a645fa0b3f1d945eb053ef8f5baa15b3da4758002c3af531b0bf9d79c9ec2ea29d086c34e86f69531751175e2f01

  • SSDEEP

    384:uEOQHIuXaT4jdQCEf7UAKPQM+8no6/6C7rb:uEj/XxdgCRoinb

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5709291639:AAG1slnQjLEtkzr1acv7W25d5hS421wR2lI/

Targets

    • Target

      e1c9b3850958c21be6108aa28a28f7b8f059a0530db99c587fadef7801fa4319.vbs

    • Size

      15KB

    • MD5

      d81e427713a8533aca1a8381056e6329

    • SHA1

      ec0212bc9ee40b1d8ad371fb8d26ec83c14cb1b0

    • SHA256

      e1c9b3850958c21be6108aa28a28f7b8f059a0530db99c587fadef7801fa4319

    • SHA512

      76d6420a4052e6d8ef1eaa1f7e6501275487a645fa0b3f1d945eb053ef8f5baa15b3da4758002c3af531b0bf9d79c9ec2ea29d086c34e86f69531751175e2f01

    • SSDEEP

      384:uEOQHIuXaT4jdQCEf7UAKPQM+8no6/6C7rb:uEj/XxdgCRoinb

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks