General

  • Target

    UPDATED SOA.js

  • Size

    392KB

  • Sample

    220816-hzdb8sgeh3

  • MD5

    68d96b8efb44dbfafc5b211172701b24

  • SHA1

    d0dc594d110229ed8b7facf3c5456400b557e473

  • SHA256

    9f9766be676c58a1308d3995acc28415ff75acc4e0ffa289fd592eebcb8ecfcb

  • SHA512

    5e1c596862d86bb9d63c47670b33b41c95f93e0937dd0891acc125e524fe52949b1580626aa22601c956e8eef57c8c031a68e92a5aefe6dff93bcdb651d3e10c

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.losbrothersconstruction.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    508135Pry

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      UPDATED SOA.js

    • Size

      392KB

    • MD5

      68d96b8efb44dbfafc5b211172701b24

    • SHA1

      d0dc594d110229ed8b7facf3c5456400b557e473

    • SHA256

      9f9766be676c58a1308d3995acc28415ff75acc4e0ffa289fd592eebcb8ecfcb

    • SHA512

      5e1c596862d86bb9d63c47670b33b41c95f93e0937dd0891acc125e524fe52949b1580626aa22601c956e8eef57c8c031a68e92a5aefe6dff93bcdb651d3e10c

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

    • Blocklisted process makes network request

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks