General

  • Target

    productList-pdf.js

  • Size

    398KB

  • Sample

    220815-tf7yaaffb6

  • MD5

    67e8782fae2a854e07eb6eb411f758c8

  • SHA1

    9ed9b336a0a96c8dbc45ed230950ef35693f25ed

  • SHA256

    bd19686034b4d10dd2c84c6732e637fd3bd076b74e0b19dd4d0f86ab46500c5f

  • SHA512

    2e7d5b30b3732ad67e5624fcce7551a6f3113816b55afb4484996985a7f56fc34a4165639988a362a7c75f176a0bee224a54a6e9fb758d84f4e609b9ad29817c

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    server240.web-hosting.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Success4sure2day10@

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      productList-pdf.js

    • Size

      398KB

    • MD5

      67e8782fae2a854e07eb6eb411f758c8

    • SHA1

      9ed9b336a0a96c8dbc45ed230950ef35693f25ed

    • SHA256

      bd19686034b4d10dd2c84c6732e637fd3bd076b74e0b19dd4d0f86ab46500c5f

    • SHA512

      2e7d5b30b3732ad67e5624fcce7551a6f3113816b55afb4484996985a7f56fc34a4165639988a362a7c75f176a0bee224a54a6e9fb758d84f4e609b9ad29817c

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

    • Blocklisted process makes network request

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

MITRE ATT&CK Enterprise v6

Tasks