General
-
Target
Company-profile-of-VCR-ORDER63729.xlsx.vbs
-
Size
152KB
-
Sample
241216-lstmesvne1
-
MD5
41cf7825cf77ddf8fb888749b7b6547f
-
SHA1
b89fc1ab3e8df2bc33e8aae8f1bf6a82b1788705
-
SHA256
9a9e5c97bca11cc8a54c61b20e4dbb5ed1dc77f9327e0e27c8bf1e86fb6bb5d7
-
SHA512
232cd73ade4e1433a65e377833eb16b9c01dfaf6b59012e163758c67233252551fab98887fad9ad2bc4f84f4233eff59495d594834c15c25020872ad7bff3f64
-
SSDEEP
3072:1ew51avxlU+tI1DTQX8F7CNEoWGXu+Fqew51avxlU+tI1DTQX8F7CNEoWGXu+qeF:1ecOxlUq6sX8F7cKGXPFqecOxlUq6sXB
Malware Config
Extracted
https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg%20
https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg%20
Extracted
agenttesla
https://api.telegram.org/bot6050556352:AAE_-mublQ2CllMbT9xkQVBjSBbdvdYR1kM/
Targets
-
-
Target
Company-profile-of-VCR-ORDER63729.xlsx.vbs
-
Size
152KB
-
MD5
41cf7825cf77ddf8fb888749b7b6547f
-
SHA1
b89fc1ab3e8df2bc33e8aae8f1bf6a82b1788705
-
SHA256
9a9e5c97bca11cc8a54c61b20e4dbb5ed1dc77f9327e0e27c8bf1e86fb6bb5d7
-
SHA512
232cd73ade4e1433a65e377833eb16b9c01dfaf6b59012e163758c67233252551fab98887fad9ad2bc4f84f4233eff59495d594834c15c25020872ad7bff3f64
-
SSDEEP
3072:1ew51avxlU+tI1DTQX8F7CNEoWGXu+Fqew51avxlU+tI1DTQX8F7CNEoWGXu+qeF:1ecOxlUq6sX8F7cKGXPFqecOxlUq6sXB
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1