General
-
Target
7c5e8174cdba01f663d435d1ea9d3c41.js.vir
-
Size
374KB
-
Sample
221206-gaq2cshe78
-
MD5
2c18b9d4a4e1519c66e969e5296eb46d
-
SHA1
b2852a309cab8cf2315f1b9898c4209d63c617e7
-
SHA256
2d96512f33cd8445144d7e54a10372aee634560021661e5988ff503bbff094fd
-
SHA512
d2369695292d171792e4aa21a3ecaa60ad8068bca86aa9e275a387f14703ec1502be74e9169a94b1fb5a55a0c2f305dae59803b27d21ac734180be301e4a3942
-
SSDEEP
6144:Nw/VyURyDDckawASdoFoYbwXiC4gJMYSDnc3erU5B7LGfMzD:iy4xA4gJNSvgmfM/
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot5752794370:AAGHbBIUSUvwQW5dpdi3bNZyPbHwpEPD5r0/
Targets
-
-
Target
7c5e8174cdba01f663d435d1ea9d3c41.js.vir
-
Size
374KB
-
MD5
2c18b9d4a4e1519c66e969e5296eb46d
-
SHA1
b2852a309cab8cf2315f1b9898c4209d63c617e7
-
SHA256
2d96512f33cd8445144d7e54a10372aee634560021661e5988ff503bbff094fd
-
SHA512
d2369695292d171792e4aa21a3ecaa60ad8068bca86aa9e275a387f14703ec1502be74e9169a94b1fb5a55a0c2f305dae59803b27d21ac734180be301e4a3942
-
SSDEEP
6144:Nw/VyURyDDckawASdoFoYbwXiC4gJMYSDnc3erU5B7LGfMzD:iy4xA4gJNSvgmfM/
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-