General
-
Target
3.rar
-
Size
23KB
-
Sample
240919-stq19awald
-
MD5
44667530774009ede241b22c470cf6b0
-
SHA1
4b938425db7744c5ad6db94c226ea69474668fa4
-
SHA256
f9e4590be481cf42c1f7b1d1322243703af2af9bf44f906886af3f178b53910e
-
SHA512
57ed1187b79082e508a6354a8f6d8700a7197cb2bcabe34974d5de6e817e593b66a17935b82f1c1cf6623836d9ed0f5a6aa552c016fe846878fe9882a4b25dcc
-
SSDEEP
384:AzbXBPfTJ1qy5cknHTfHz5+oaVdrcbU/rc+26Kv3qCX8L5LJxnkJLXAVju37NFz3:WPbJTckbHz3krcbwwyc3d8HsLw4L/HKY
Static task
static1
Behavioral task
behavioral1
Sample
DHL INVOICE-2356.vbs
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
DHL INVOICE-2356.vbs
Resource
win10v2004-20240802-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
marcellinus360 - Email To:
[email protected]
Targets
-
-
Target
DHL INVOICE-2356.vbs
-
Size
43KB
-
MD5
0c816e41fef783ec40ce2d7447d4c5dd
-
SHA1
e0f156439fcba011174f92ef01a4a376b337314d
-
SHA256
b828a42d31cb9bab2620c4c1def73499c542be4f19a802c08e9c0a0971192c3f
-
SHA512
cb93ee840b711ad21cebb8f2d1f98aee087a166c320783de4913bfa70db5118780edd00d5df7712f9473452918f05d2ebad88f23280f10f97ded355b22bab7c3
-
SSDEEP
768:B696nNHECqC68L+iyHNm4WH8xlDeVXQ8MuCzPvbG4O8/MsOAkieqfz7DIKFAR:g9Ge8LP4xxaQhlDDpUssRWnIKFAR
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-