General

  • Target

    03cbdd488fd6819ccfafa38dedf10ab4db2e9d447e69ee89f539255941ad511d.vbs

  • Size

    92KB

  • Sample

    240619-bcvvfavdrl

  • MD5

    1a0f278542c1a82b36d2a9339c44343f

  • SHA1

    7464df5fb5eae9f2bb2de37aac91729be222c801

  • SHA256

    03cbdd488fd6819ccfafa38dedf10ab4db2e9d447e69ee89f539255941ad511d

  • SHA512

    4e3e255185ffe407661cd5f6ef18aceaf39e4b7410926e14c2580fe9ba7a5ba3edbdf5834c03eec9662ab6b111da262ba5f8632e3304766eb99f42a60eb62ec6

  • SSDEEP

    1536:w01/LsA0DnkdzhX7RXaSMmr2rFHxsASgxWxCwhrdM5R/:w09LB0DnWzhX7RXaSMxhxsAhWEwhrdMT

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      03cbdd488fd6819ccfafa38dedf10ab4db2e9d447e69ee89f539255941ad511d.vbs

    • Size

      92KB

    • MD5

      1a0f278542c1a82b36d2a9339c44343f

    • SHA1

      7464df5fb5eae9f2bb2de37aac91729be222c801

    • SHA256

      03cbdd488fd6819ccfafa38dedf10ab4db2e9d447e69ee89f539255941ad511d

    • SHA512

      4e3e255185ffe407661cd5f6ef18aceaf39e4b7410926e14c2580fe9ba7a5ba3edbdf5834c03eec9662ab6b111da262ba5f8632e3304766eb99f42a60eb62ec6

    • SSDEEP

      1536:w01/LsA0DnkdzhX7RXaSMmr2rFHxsASgxWxCwhrdM5R/:w09LB0DnWzhX7RXaSMxhxsAhWEwhrdMT

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Blocklisted process makes network request

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks