General
-
Target
PO N°CF004303.js
-
Size
46KB
-
Sample
221125-h4dhssdh61
-
MD5
2d7eb6057c440a29f5665fa451e81652
-
SHA1
92ea018787415f08474136050bb93b440b703de7
-
SHA256
35f530a0947f106cbb34d04a9522109b4934bf63806f1c91c38b5f077a1c40b5
-
SHA512
93e6db0031e4ca133504871e937c50900a2fad66d5e0a3428a493bcf473c796912c7840e4ca05bf1b8aa4c4a2c217fece1ebd3969e2b863d6cbbd3716528b747
-
SSDEEP
768:NZLVEiEj4aonG/Su22Anqf54DdV48E/hcuIvGpYFbft5s:6ic4aot2qqfWfI/hcuIS8bftu
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.vinadiali.com - Port:
587 - Username:
[email protected] - Password:
mjuSFRU8
Extracted
wshrat
http://45.139.105.174:2070
Targets
-
-
Target
PO N°CF004303.js
-
Size
46KB
-
MD5
2d7eb6057c440a29f5665fa451e81652
-
SHA1
92ea018787415f08474136050bb93b440b703de7
-
SHA256
35f530a0947f106cbb34d04a9522109b4934bf63806f1c91c38b5f077a1c40b5
-
SHA512
93e6db0031e4ca133504871e937c50900a2fad66d5e0a3428a493bcf473c796912c7840e4ca05bf1b8aa4c4a2c217fece1ebd3969e2b863d6cbbd3716528b747
-
SSDEEP
768:NZLVEiEj4aonG/Su22Anqf54DdV48E/hcuIvGpYFbft5s:6ic4aot2qqfWfI/hcuIS8bftu
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
-
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Adds Run key to start application
-