General

  • Target

    Image_001.vbs

  • Size

    507KB

  • Sample

    240922-fy99gatckj

  • MD5

    369b2913abd7a1e2ecfeea185e737e61

  • SHA1

    eb9431fc12b373c216e2c89af2cfdafdc5dae727

  • SHA256

    8264386f0b6a0e9b2aa5f908dc3909f4b8a61b619edb269baf56bf7112ae100e

  • SHA512

    e6e02f36641a087c1e437885c1b432e325f6b805ba371093302092912065515efe090121ea54f432ea6e23c466a44635c426efbaad2268cf03c251b0657f8f9b

  • SSDEEP

    12288:bsD8YhlqjFf0pIWLNvd5/iaPr4/Is0en9sAWxihGmxLyKSHPh72RwsZIohgrVVMA:jcj6whXoTMA0t

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt

exe.dropper

https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot6852245174:AAHgk_9s-tH6YNacTaCnQz56uJMggI0fZDw/

Targets

    • Target

      Image_001.vbs

    • Size

      507KB

    • MD5

      369b2913abd7a1e2ecfeea185e737e61

    • SHA1

      eb9431fc12b373c216e2c89af2cfdafdc5dae727

    • SHA256

      8264386f0b6a0e9b2aa5f908dc3909f4b8a61b619edb269baf56bf7112ae100e

    • SHA512

      e6e02f36641a087c1e437885c1b432e325f6b805ba371093302092912065515efe090121ea54f432ea6e23c466a44635c426efbaad2268cf03c251b0657f8f9b

    • SSDEEP

      12288:bsD8YhlqjFf0pIWLNvd5/iaPr4/Is0en9sAWxihGmxLyKSHPh72RwsZIohgrVVMA:jcj6whXoTMA0t

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks