General

  • Target

    Documents for your perusal.js

  • Size

    1.0MB

  • Sample

    220628-l3dc7agfcr

  • MD5

    377613bfa2aa0b0143caeadf2fcad9fb

  • SHA1

    c6ca17a49b21e31c43e7b0ab99e8fc40abe6f6dd

  • SHA256

    8e489340e5a0c5c56cfda0312f390e8479693264ce0efd9a8f82ac2acc5435b8

  • SHA512

    cd5483d6c8c6690872664294cfb6da2a49655a9a2cbcef4d5ba52e6ac0669f8cbb0dfea0c64d79603cd1488b4ecb17d95e57a7e63bde27747f397b53450a1dff

Malware Config

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    files.000webhost.com
  • Port:
    21
  • Username:
    zincox
  • Password:
    computer@1010

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://files.000webhost.com/
  • Port:
    21
  • Username:
    zincox
  • Password:
    computer@1010

Targets

    • Target

      Documents for your perusal.js

    • Size

      1.0MB

    • MD5

      377613bfa2aa0b0143caeadf2fcad9fb

    • SHA1

      c6ca17a49b21e31c43e7b0ab99e8fc40abe6f6dd

    • SHA256

      8e489340e5a0c5c56cfda0312f390e8479693264ce0efd9a8f82ac2acc5435b8

    • SHA512

      cd5483d6c8c6690872664294cfb6da2a49655a9a2cbcef4d5ba52e6ac0669f8cbb0dfea0c64d79603cd1488b4ecb17d95e57a7e63bde27747f397b53450a1dff

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

    • suricata: ET MALWARE AgentTesla Exfil via FTP

      suricata: ET MALWARE AgentTesla Exfil via FTP

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Collection

Email Collection

1
T1114

Tasks