General
-
Target
e1c9b3850958c21be6108aa28a28f7b8f059a0530db99c587fadef7801fa4319.vbs
-
Size
15KB
-
Sample
240605-sk8vpsae5s
-
MD5
d81e427713a8533aca1a8381056e6329
-
SHA1
ec0212bc9ee40b1d8ad371fb8d26ec83c14cb1b0
-
SHA256
e1c9b3850958c21be6108aa28a28f7b8f059a0530db99c587fadef7801fa4319
-
SHA512
76d6420a4052e6d8ef1eaa1f7e6501275487a645fa0b3f1d945eb053ef8f5baa15b3da4758002c3af531b0bf9d79c9ec2ea29d086c34e86f69531751175e2f01
-
SSDEEP
384:uEOQHIuXaT4jdQCEf7UAKPQM+8no6/6C7rb:uEj/XxdgCRoinb
Static task
static1
Behavioral task
behavioral1
Sample
e1c9b3850958c21be6108aa28a28f7b8f059a0530db99c587fadef7801fa4319.vbs
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e1c9b3850958c21be6108aa28a28f7b8f059a0530db99c587fadef7801fa4319.vbs
Resource
win10v2004-20240508-en
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot5709291639:AAG1slnQjLEtkzr1acv7W25d5hS421wR2lI/
Targets
-
-
Target
e1c9b3850958c21be6108aa28a28f7b8f059a0530db99c587fadef7801fa4319.vbs
-
Size
15KB
-
MD5
d81e427713a8533aca1a8381056e6329
-
SHA1
ec0212bc9ee40b1d8ad371fb8d26ec83c14cb1b0
-
SHA256
e1c9b3850958c21be6108aa28a28f7b8f059a0530db99c587fadef7801fa4319
-
SHA512
76d6420a4052e6d8ef1eaa1f7e6501275487a645fa0b3f1d945eb053ef8f5baa15b3da4758002c3af531b0bf9d79c9ec2ea29d086c34e86f69531751175e2f01
-
SSDEEP
384:uEOQHIuXaT4jdQCEf7UAKPQM+8no6/6C7rb:uEj/XxdgCRoinb
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-