General

  • Target

    STS_Bunker_00617.vbs

  • Size

    92KB

  • Sample

    240618-lkxn4sxfqf

  • MD5

    dfe2a23100ac3263583e69f48e9b32e6

  • SHA1

    20087641aba69eaaaef0f87a7d21edd8a255db60

  • SHA256

    9aa64f43d090ff657848da74a0c2ea1f3211fa1d88ac3fa603e65d724360a957

  • SHA512

    48b5bf8605415ead17d375adc9613b73f8e3f80132086f2a3ef11df7684e1d43ad4f97aee65967986a9964d81edcd7043d7faaf720fcd1f73052411d43153038

  • SSDEEP

    1536:V01/LsA0DnkdzhX7RXaSMmr2rFHxsASgxWxCwhrdM5eW8VLOExkzL:V09LB0DnWzhX7RXaSMxhxsAhWEwhrdMh

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      STS_Bunker_00617.vbs

    • Size

      92KB

    • MD5

      dfe2a23100ac3263583e69f48e9b32e6

    • SHA1

      20087641aba69eaaaef0f87a7d21edd8a255db60

    • SHA256

      9aa64f43d090ff657848da74a0c2ea1f3211fa1d88ac3fa603e65d724360a957

    • SHA512

      48b5bf8605415ead17d375adc9613b73f8e3f80132086f2a3ef11df7684e1d43ad4f97aee65967986a9964d81edcd7043d7faaf720fcd1f73052411d43153038

    • SSDEEP

      1536:V01/LsA0DnkdzhX7RXaSMmr2rFHxsASgxWxCwhrdM5eW8VLOExkzL:V09LB0DnWzhX7RXaSMxhxsAhWEwhrdMh

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Blocklisted process makes network request

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks