General
-
Target
73b63a59ea3c5c6f049420fb7a4a4dc4e91036c24e2b25bae406aac1f56a1812.wsf
-
Size
189KB
-
Sample
250129-db9y3symdw
-
MD5
3b970c76dbc74cd9b119f487a22c1683
-
SHA1
4ebb9876723c2fc5fda46b098094cf0104efac55
-
SHA256
73b63a59ea3c5c6f049420fb7a4a4dc4e91036c24e2b25bae406aac1f56a1812
-
SHA512
74f4bbe6c8ff3769e4a70189bf28aba7ac0bf8c6a4440c88b24fa6d2207ea4169f032b37d465ca981f2bc4f69f25fd089256bde24d88f7a4e003f6d80beef821
-
SSDEEP
3072:z/zQ6Vv//riU/tEqZjCwNZiU/tEyWiU/tEqZjCwNZiU/tEAI6:0U/tESLNQU/tEylU/tESLNQU/tEa
Malware Config
Extracted
https://res.cloudinary.com/daxwua63y/image/upload/v1737543662/new_image_h8btwc.jpg%20
https://res.cloudinary.com/daxwua63y/image/upload/v1737543662/new_image_h8btwc.jpg%20
Extracted
agenttesla
https://api.telegram.org/bot6050556352:AAE_-mublQ2CllMbT9xkQVBjSBbdvdYR1kM/
Targets
-
-
Target
73b63a59ea3c5c6f049420fb7a4a4dc4e91036c24e2b25bae406aac1f56a1812.wsf
-
Size
189KB
-
MD5
3b970c76dbc74cd9b119f487a22c1683
-
SHA1
4ebb9876723c2fc5fda46b098094cf0104efac55
-
SHA256
73b63a59ea3c5c6f049420fb7a4a4dc4e91036c24e2b25bae406aac1f56a1812
-
SHA512
74f4bbe6c8ff3769e4a70189bf28aba7ac0bf8c6a4440c88b24fa6d2207ea4169f032b37d465ca981f2bc4f69f25fd089256bde24d88f7a4e003f6d80beef821
-
SSDEEP
3072:z/zQ6Vv//riU/tEqZjCwNZiU/tEyWiU/tEqZjCwNZiU/tEAI6:0U/tESLNQU/tEylU/tESLNQU/tEa
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-