General
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://cdn.discordapp.com/attachments/1232825231312420997/1252503669698728087/PO-_RFL059210.zip?ex=66727471&is=667122f1&hm=5e1872bc711cb3f4269d51a83c5656aebd9a7168ce54a54e950f88b01d30196f&
Resource
win10v2004-20240508-en
Malware Config
Extracted
Protocol: ftp- Host:
ftp.skitz.com.ng - Port:
21 - Username:
[email protected] - Password:
Kosyano1@
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.skitz.com.ng - Port:
21 - Username:
[email protected] - Password:
Kosyano1@
Targets
-
-
Target
https://cdn.discordapp.com/attachments/1232825231312420997/1252503669698728087/PO-_RFL059210.zip?ex=66727471&is=667122f1&hm=5e1872bc711cb3f4269d51a83c5656aebd9a7168ce54a54e950f88b01d30196f&
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-