General
-
Target
WITTE - Request for quotaton pdf.wsf
-
Size
260KB
-
Sample
240625-qg73wssamg
-
MD5
f7f9b3b41b35e66e03d06c3109197c74
-
SHA1
5d9a985bcf0828bd1bfbaf887919500463e0868c
-
SHA256
e813ca35b7ea1a0eac973cf375a99f6e61f4322abd8569be9814852144b71ae8
-
SHA512
836d4db4af2e6f39ded3ee5ff3d6d8539de902e632defa0664b14bbf3639fe8c12c792e248b189fef48f4c663337b5ce0bf0738d75a7e788c366a0f6e8f75ac0
-
SSDEEP
6144:HWyOEs2Gt8zApmzaFKlc/IgwtB0QsZqNbnWsn25qhOnQZ7aTlAk3Oe27g8R0WLnJ:y2tpgE2MhihlC84j2G
Static task
static1
Behavioral task
behavioral1
Sample
WITTE - Request for quotaton pdf.wsf
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
WITTE - Request for quotaton pdf.wsf
Resource
win10v2004-20240508-en
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.cefin.bg - Port:
21 - Username:
[email protected] - Password:
#UuXy?6cIbL+
Targets
-
-
Target
WITTE - Request for quotaton pdf.wsf
-
Size
260KB
-
MD5
f7f9b3b41b35e66e03d06c3109197c74
-
SHA1
5d9a985bcf0828bd1bfbaf887919500463e0868c
-
SHA256
e813ca35b7ea1a0eac973cf375a99f6e61f4322abd8569be9814852144b71ae8
-
SHA512
836d4db4af2e6f39ded3ee5ff3d6d8539de902e632defa0664b14bbf3639fe8c12c792e248b189fef48f4c663337b5ce0bf0738d75a7e788c366a0f6e8f75ac0
-
SSDEEP
6144:HWyOEs2Gt8zApmzaFKlc/IgwtB0QsZqNbnWsn25qhOnQZ7aTlAk3Oe27g8R0WLnJ:y2tpgE2MhihlC84j2G
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-