General
-
Target
DHL INVOICE-2356.vbs
-
Size
43KB
-
Sample
240922-fy99gatcjq
-
MD5
0c816e41fef783ec40ce2d7447d4c5dd
-
SHA1
e0f156439fcba011174f92ef01a4a376b337314d
-
SHA256
b828a42d31cb9bab2620c4c1def73499c542be4f19a802c08e9c0a0971192c3f
-
SHA512
cb93ee840b711ad21cebb8f2d1f98aee087a166c320783de4913bfa70db5118780edd00d5df7712f9473452918f05d2ebad88f23280f10f97ded355b22bab7c3
-
SSDEEP
768:B696nNHECqC68L+iyHNm4WH8xlDeVXQ8MuCzPvbG4O8/MsOAkieqfz7DIKFAR:g9Ge8LP4xxaQhlDDpUssRWnIKFAR
Static task
static1
Behavioral task
behavioral1
Sample
DHL INVOICE-2356.vbs
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
DHL INVOICE-2356.vbs
Resource
win10v2004-20240802-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
marcellinus360 - Email To:
[email protected]
Targets
-
-
Target
DHL INVOICE-2356.vbs
-
Size
43KB
-
MD5
0c816e41fef783ec40ce2d7447d4c5dd
-
SHA1
e0f156439fcba011174f92ef01a4a376b337314d
-
SHA256
b828a42d31cb9bab2620c4c1def73499c542be4f19a802c08e9c0a0971192c3f
-
SHA512
cb93ee840b711ad21cebb8f2d1f98aee087a166c320783de4913bfa70db5118780edd00d5df7712f9473452918f05d2ebad88f23280f10f97ded355b22bab7c3
-
SSDEEP
768:B696nNHECqC68L+iyHNm4WH8xlDeVXQ8MuCzPvbG4O8/MsOAkieqfz7DIKFAR:g9Ge8LP4xxaQhlDDpUssRWnIKFAR
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-