General

  • Target

    Proforma86B.js

  • Size

    391KB

  • Sample

    220907-l4hz3abga2

  • MD5

    2a613ed18dbcffe2dd3078fe73c88083

  • SHA1

    d793d990c03e43b671b130c71c63b7ff39918719

  • SHA256

    cc8a7520327f4eec32983cddf4b2fb77826f8749d1336697fe1a51f027c1ec91

  • SHA512

    27ec56296c4cf66fde24cb8cce7272af18749eb014896572681bd03270a05f4f4951b7675e884485529b103f235abb34aada3a86588cf62bdee913963d5d13b3

  • SSDEEP

    6144:/jpvh+4GrFYF5P8g8Z07Fj1dBas7fN43IPt28PkIb2Gs7:/jj+7ezs0xpdBaxCKAm

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    server240.web-hosting.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Success4sure2day10@

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    %2B
  • Port:
    21
  • Username:
    application/x-www-form-urlencoded
  • Password:
    image/jpg
C2

p=

Targets

    • Target

      Proforma86B.js

    • Size

      391KB

    • MD5

      2a613ed18dbcffe2dd3078fe73c88083

    • SHA1

      d793d990c03e43b671b130c71c63b7ff39918719

    • SHA256

      cc8a7520327f4eec32983cddf4b2fb77826f8749d1336697fe1a51f027c1ec91

    • SHA512

      27ec56296c4cf66fde24cb8cce7272af18749eb014896572681bd03270a05f4f4951b7675e884485529b103f235abb34aada3a86588cf62bdee913963d5d13b3

    • SSDEEP

      6144:/jpvh+4GrFYF5P8g8Z07Fj1dBas7fN43IPt28PkIb2Gs7:/jj+7ezs0xpdBaxCKAm

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

    • Blocklisted process makes network request

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks