Overview

overview

10

Static

static

1

2E89819F3E...B5.vbs

windows7-x64

10

2E89819F3E...B5.vbs

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2E89819F3E67AAC66D71BC5B11407E3D4DBAA4ADAB3AC6CA7FF4F4BD69C1ABB5

  • Size

    43KB

  • Sample

    240919-xc4y1avbpk

  • MD5

    4ae2066ad08f4986be08cc497f6d9ecd

  • SHA1

    063ea24650d1804c8f93dc2373f3b0134d67fe04

  • SHA256

    2e89819f3e67aac66d71bc5b11407e3d4dbaa4adab3ac6ca7ff4f4bd69c1abb5

  • SHA512

    7383416bd386f26a2e72996467ce474f8f56494b972d5bf5b26fca319607ff6f538fbfa25bdfeca64fb43d2c3d304320e156ff25250c61a2251123569d1971c1

  • SSDEEP

    768:B/vfiNH+Cz316uuJRw4YcDeQVF+g0Ego8QnfxARXeqf17DsGzA5:Jvs4ut4yQOJxTcfguSnsGzA5

Score
10/10
agentteslaguloadercredential_accessdiscoverydownloaderkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      2E89819F3E67AAC66D71BC5B11407E3D4DBAA4ADAB3AC6CA7FF4F4BD69C1ABB5

    • Size

      43KB

    • MD5

      4ae2066ad08f4986be08cc497f6d9ecd

    • SHA1

      063ea24650d1804c8f93dc2373f3b0134d67fe04

    • SHA256

      2e89819f3e67aac66d71bc5b11407e3d4dbaa4adab3ac6ca7ff4f4bd69c1abb5

    • SHA512

      7383416bd386f26a2e72996467ce474f8f56494b972d5bf5b26fca319607ff6f538fbfa25bdfeca64fb43d2c3d304320e156ff25250c61a2251123569d1971c1

    • SSDEEP

      768:B/vfiNH+Cz316uuJRw4YcDeQVF+g0Ego8QnfxARXeqf17DsGzA5:Jvs4ut4yQOJxTcfguSnsGzA5

    Score
    10/10
    agentteslaguloadercredential_accessdiscoverydownloaderkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks