General

  • Target

    Drawings-NRTT_DMK.js

  • Size

    408KB

  • Sample

    220815-tf782scgfr

  • MD5

    1f2339218ab3834093d6aa27dea7d219

  • SHA1

    f28dbae21644fed142fb3925ba51a78963f8ae00

  • SHA256

    274d872400d90914f4c93b2ad50482cdcd862dc241ff3ad9367f7667342b8611

  • SHA512

    a5d59dc30d9c097598d434a02d4b0587ad9e54307f0b70df47a80d9a8f5323b39af05bf86ef89917f5c174f5adbdbdb87d52a2c5d6266b65e83876b3a5c3aa45

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.yandex.ru
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Newton@22

Targets

    • Target

      Drawings-NRTT_DMK.js

    • Size

      408KB

    • MD5

      1f2339218ab3834093d6aa27dea7d219

    • SHA1

      f28dbae21644fed142fb3925ba51a78963f8ae00

    • SHA256

      274d872400d90914f4c93b2ad50482cdcd862dc241ff3ad9367f7667342b8611

    • SHA512

      a5d59dc30d9c097598d434a02d4b0587ad9e54307f0b70df47a80d9a8f5323b39af05bf86ef89917f5c174f5adbdbdb87d52a2c5d6266b65e83876b3a5c3aa45

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

    • AgentTesla payload

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks