General

  • Target

    ef670fb4793463bc81ae7f07fc809bab0962fec614a3fef3bc779a4a382c2eae.vbe

  • Size

    10KB

  • Sample

    241112-dl14xstdqd

  • MD5

    254471760724bb645f41689c3bdc6dac

  • SHA1

    ceda7f23ac91b4af194c758b3c6e5b9100766da4

  • SHA256

    ef670fb4793463bc81ae7f07fc809bab0962fec614a3fef3bc779a4a382c2eae

  • SHA512

    f18fad6ae29adb4fca5b4b1a3d525062f955bc94ec89d4d913e6b0d802838ed428ecfdc42c18ae8950814889d0636bb47598236163e2a138dea8062431a04867

  • SSDEEP

    192:7QiwcCrwQiaIf536yhD1uFyQ3NvR13N1QZd9N0FK:2c+wQhQ53ZD8Fj3tRVN1M/NF

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      ef670fb4793463bc81ae7f07fc809bab0962fec614a3fef3bc779a4a382c2eae.vbe

    • Size

      10KB

    • MD5

      254471760724bb645f41689c3bdc6dac

    • SHA1

      ceda7f23ac91b4af194c758b3c6e5b9100766da4

    • SHA256

      ef670fb4793463bc81ae7f07fc809bab0962fec614a3fef3bc779a4a382c2eae

    • SHA512

      f18fad6ae29adb4fca5b4b1a3d525062f955bc94ec89d4d913e6b0d802838ed428ecfdc42c18ae8950814889d0636bb47598236163e2a138dea8062431a04867

    • SSDEEP

      192:7QiwcCrwQiaIf536yhD1uFyQ3NvR13N1QZd9N0FK:2c+wQhQ53ZD8Fj3tRVN1M/NF

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Agenttesla family

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks