General

  • Target

    Lumina_Equipmentos Order_pdf.vbs

  • Size

    94KB

  • Sample

    240612-g4xe8ssgma

  • MD5

    5ac2ab108609873b3d963f57d6827c3d

  • SHA1

    8afbc4b5331e9ccb61991e923fd88c05cfd38bb7

  • SHA256

    2af5528d59bdc1fe30617f5f8b38c7398ca84124ac46c6d2a408f605300c6478

  • SHA512

    0d12feff7d686a34c3bd8ed2183c51525c3b11f9934d1c1aada40f8c8657d9b5d28d1c8a483c2c2300e29104ee86882cb08d64ef8e008bbfac987514d8d7b1b5

  • SSDEEP

    384:8LxjHvGzoZ2bswc9/zhyq1Z1zYdCQI/kv:uHao8bsr/VNZT/kv

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      Lumina_Equipmentos Order_pdf.vbs

    • Size

      94KB

    • MD5

      5ac2ab108609873b3d963f57d6827c3d

    • SHA1

      8afbc4b5331e9ccb61991e923fd88c05cfd38bb7

    • SHA256

      2af5528d59bdc1fe30617f5f8b38c7398ca84124ac46c6d2a408f605300c6478

    • SHA512

      0d12feff7d686a34c3bd8ed2183c51525c3b11f9934d1c1aada40f8c8657d9b5d28d1c8a483c2c2300e29104ee86882cb08d64ef8e008bbfac987514d8d7b1b5

    • SSDEEP

      384:8LxjHvGzoZ2bswc9/zhyq1Z1zYdCQI/kv:uHao8bsr/VNZT/kv

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks