General
-
Target
01072024_1030_01072024_DHL1x20'LY736449574.gz
-
Size
9KB
-
Sample
240701-mjvc2azcjm
-
MD5
9b614dc4cda6d3b9ca3e93a0c4504c9b
-
SHA1
0638be915c6f9e4ab6a4d329acb48fb4680288b9
-
SHA256
6b6f57dc837bbcd056b5e5c76dfe32c362142ff8b228f0c5153b59a21d17e38f
-
SHA512
615cb99db7c10cb6ba518990b7c8ef24d9b1d75aecb18e37a5b7fbd2eb382156a7a7d83c2f62edf0c1e3eab418e9725f5ccd557e97760e6ce73c888a7bff688d
-
SSDEEP
192:Y9byKbgjF7HGd5TdtjJw1913uwxAmeFnqIIMzWrHX5q9BrR2zXXM:YQ7mXRtji135xte7IMzWrHXArR2LM
Static task
static1
Behavioral task
behavioral1
Sample
DHL1x20'LY736449574.vbs
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
DHL1x20'LY736449574.vbs
Resource
win10v2004-20240508-en
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.concaribe.com - Port:
21 - Username:
[email protected] - Password:
@Ixk.X0Q&I?d
Targets
-
-
Target
DHL1x20'LY736449574.vbs
-
Size
18KB
-
MD5
e18818173f8cf93e8b168e29c4ac3136
-
SHA1
42059e8cf7003ad0e269f9ac0752e0387948c364
-
SHA256
5563fa21470df110e69ef51c2ae908f4f9cba15b135f9d32d38971a7eabd1e9b
-
SHA512
31c99f32ac7f71a61d2888872c8da4e259ba61fc685718155cfb01fec95f594376cc4bc3a6fb185325e5cba7493b7cea363bbe3a2be492406db07a2f28853b6a
-
SSDEEP
384:4dQM+6JUwsljx9xS04WLhbumq0mYSNBeVTmF+SGKKB1dA0+TgtAtTmblc:unJUDvSrPBQmF+SGKKBA08ltz
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-