General
-
Target
fa54825b8b94917037cc1620eb21421f9bd31ac394f396c1fe80546e4ed88dfa.hta
-
Size
178KB
-
Sample
241121-kv8npazfkd
-
MD5
01928c833c9940a6896666a9d93b9670
-
SHA1
abe22dd055a6fa39c615cf72818e474f2525e7ae
-
SHA256
fa54825b8b94917037cc1620eb21421f9bd31ac394f396c1fe80546e4ed88dfa
-
SHA512
e34bc23996ab1ec12117e463f8b8ec5b4e880635d435286d3e4d09c8499c044dd2f92d8c2927e1435287691ae14dc1e1f7331c2aeae103ca9ac56022b9d883e0
-
SSDEEP
48:4vahW5oZz7eWLB2CCz7lRo7dmz7lOwo7dO81bBPW1zKfD299Ddaq6bWyxf9DZRDf:4vCl17nuYMiFeAqfoqyWyflRJm0cfQ
Static task
static1
Behavioral task
behavioral1
Sample
fa54825b8b94917037cc1620eb21421f9bd31ac394f396c1fe80546e4ed88dfa.hta
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
fa54825b8b94917037cc1620eb21421f9bd31ac394f396c1fe80546e4ed88dfa.hta
Resource
win10v2004-20241007-en
Malware Config
Extracted
https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f
https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.elquijotebanquetes.com - Port:
21 - Username:
[email protected] - Password:
4r@d15PS!-!h
Targets
-
-
Target
fa54825b8b94917037cc1620eb21421f9bd31ac394f396c1fe80546e4ed88dfa.hta
-
Size
178KB
-
MD5
01928c833c9940a6896666a9d93b9670
-
SHA1
abe22dd055a6fa39c615cf72818e474f2525e7ae
-
SHA256
fa54825b8b94917037cc1620eb21421f9bd31ac394f396c1fe80546e4ed88dfa
-
SHA512
e34bc23996ab1ec12117e463f8b8ec5b4e880635d435286d3e4d09c8499c044dd2f92d8c2927e1435287691ae14dc1e1f7331c2aeae103ca9ac56022b9d883e0
-
SSDEEP
48:4vahW5oZz7eWLB2CCz7lRo7dmz7lOwo7dO81bBPW1zKfD299Ddaq6bWyxf9DZRDf:4vCl17nuYMiFeAqfoqyWyflRJm0cfQ
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
Blocklisted process makes network request
-
Evasion via Device Credential Deployment
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-