General

  • Target

    Order_EWJCfoDWvL_ors2.js

  • Size

    402KB

  • Sample

    221005-l7c8zseac4

  • MD5

    7120d5dec62d6d89c8c0f599b6637b57

  • SHA1

    a9d6149d6686be2d98c651fccc055bcbe1882564

  • SHA256

    c8a410f88d3ad6376bdb11bc68976624082e070f5cd4b0cd51403648778c9d41

  • SHA512

    84e69339c61e7a3a7aec4c9484637537a49ad66f21ae61465523b46ed37ea9ea75009539a191288a5ab4e7cbf535721e34f38851a5f280659c3a9380bb2be754

  • SSDEEP

    6144:c6OTnny3bg5SMJSPyf6Oi1ZSPFh8g80zFd:c6kypMJimNpd

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.rzr0ngtai.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    KBRvm@q1

Targets

    • Target

      Order_EWJCfoDWvL_ors2.js

    • Size

      402KB

    • MD5

      7120d5dec62d6d89c8c0f599b6637b57

    • SHA1

      a9d6149d6686be2d98c651fccc055bcbe1882564

    • SHA256

      c8a410f88d3ad6376bdb11bc68976624082e070f5cd4b0cd51403648778c9d41

    • SHA512

      84e69339c61e7a3a7aec4c9484637537a49ad66f21ae61465523b46ed37ea9ea75009539a191288a5ab4e7cbf535721e34f38851a5f280659c3a9380bb2be754

    • SSDEEP

      6144:c6OTnny3bg5SMJSPyf6Oi1ZSPFh8g80zFd:c6kypMJimNpd

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks