General
-
Target
MV ROYAL QUOTATION.vbs
-
Size
92KB
-
Sample
240618-lkxn4sxfqe
-
MD5
1a0f278542c1a82b36d2a9339c44343f
-
SHA1
7464df5fb5eae9f2bb2de37aac91729be222c801
-
SHA256
03cbdd488fd6819ccfafa38dedf10ab4db2e9d447e69ee89f539255941ad511d
-
SHA512
4e3e255185ffe407661cd5f6ef18aceaf39e4b7410926e14c2580fe9ba7a5ba3edbdf5834c03eec9662ab6b111da262ba5f8632e3304766eb99f42a60eb62ec6
-
SSDEEP
1536:w01/LsA0DnkdzhX7RXaSMmr2rFHxsASgxWxCwhrdM5R/:w09LB0DnWzhX7RXaSMxhxsAhWEwhrdMT
Static task
static1
Behavioral task
behavioral1
Sample
MV ROYAL QUOTATION.vbs
Resource
win7-20231129-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.myhydropowered.com - Port:
587 - Username:
[email protected] - Password:
0TFiRgPxmCJcdSB - Email To:
[email protected]
Targets
-
-
Target
MV ROYAL QUOTATION.vbs
-
Size
92KB
-
MD5
1a0f278542c1a82b36d2a9339c44343f
-
SHA1
7464df5fb5eae9f2bb2de37aac91729be222c801
-
SHA256
03cbdd488fd6819ccfafa38dedf10ab4db2e9d447e69ee89f539255941ad511d
-
SHA512
4e3e255185ffe407661cd5f6ef18aceaf39e4b7410926e14c2580fe9ba7a5ba3edbdf5834c03eec9662ab6b111da262ba5f8632e3304766eb99f42a60eb62ec6
-
SSDEEP
1536:w01/LsA0DnkdzhX7RXaSMmr2rFHxsASgxWxCwhrdM5R/:w09LB0DnWzhX7RXaSMxhxsAhWEwhrdMT
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-