General

  • Target

    Order_PO398524785.js

  • Size

    398KB

  • Sample

    221005-l7c8zseac6

  • MD5

    1fbdad6970b6d87cfe09d50ba8954c84

  • SHA1

    91519d480a627602bb4bccd8bc13c20734839a8e

  • SHA256

    eb7fb84a49611c285605158c027c99274dd0c9e0814d47c8400b683fdd960246

  • SHA512

    a3e4af6281381029a4c9a8d54dc9c0420d03f48e4994f6d3262f857035242a5c704f6f76c2536445c5cc8f236c8fb514cec2097e616f34520a686f6534c10cce

  • SSDEEP

    6144:ufkTb6uxdbaXizoY9Z4lwCjbUECLmOLtUtv:u6Xbrzvsly3sv

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.rzr0ngtai.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    KBRvm@q1

Targets

    • Target

      Order_PO398524785.js

    • Size

      398KB

    • MD5

      1fbdad6970b6d87cfe09d50ba8954c84

    • SHA1

      91519d480a627602bb4bccd8bc13c20734839a8e

    • SHA256

      eb7fb84a49611c285605158c027c99274dd0c9e0814d47c8400b683fdd960246

    • SHA512

      a3e4af6281381029a4c9a8d54dc9c0420d03f48e4994f6d3262f857035242a5c704f6f76c2536445c5cc8f236c8fb514cec2097e616f34520a686f6534c10cce

    • SSDEEP

      6144:ufkTb6uxdbaXizoY9Z4lwCjbUECLmOLtUtv:u6Xbrzvsly3sv

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks