General

  • Target

    RFQ_ERSPEOEOT-BOQ.js

  • Size

    397KB

  • Sample

    220815-tf7yaacgfn

  • MD5

    e02347ac7601d49a3fb9c5e833a74b76

  • SHA1

    677b725cad46390c0ad1f9d2db6c364b3ee9254b

  • SHA256

    a27068873cabebea326714ca7d9c85b0fdbdb9266522babf3410d3584dc2ed68

  • SHA512

    d680c37fc6705044d18e222006c7f5e2be39b341e45c2821303f2fab71d217c84c9366ec843df1b2196521e49e4aa58d724dfff53d9fd71cd0ea243fe6a5eec3

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5435181529:AAFcLLerCu2sj2T7WqqNwdJLOfZk0xh7NZ0/sendDocument

Targets

    • Target

      RFQ_ERSPEOEOT-BOQ.js

    • Size

      397KB

    • MD5

      e02347ac7601d49a3fb9c5e833a74b76

    • SHA1

      677b725cad46390c0ad1f9d2db6c364b3ee9254b

    • SHA256

      a27068873cabebea326714ca7d9c85b0fdbdb9266522babf3410d3584dc2ed68

    • SHA512

      d680c37fc6705044d18e222006c7f5e2be39b341e45c2821303f2fab71d217c84c9366ec843df1b2196521e49e4aa58d724dfff53d9fd71cd0ea243fe6a5eec3

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks