Overview

overview

10

Static

static

1

ce5bd1aa52...64c.js

windows7-x64

10

ce5bd1aa52...64c.js

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ce5bd1aa52f3f77592e112958dbaea837cadf8acd005602006dce7a7c59a464c.zip

  • Size

    407KB

  • Sample

    230321-r5x39sde9x

  • MD5

    50a5413e7f25b7b80a8848b8459de002

  • SHA1

    d26bfb06d4d08a4b55303638b47be612454d1104

  • SHA256

    b692da3929ae4eee45be5df1215158281d8eebd2564747a0c4c5658f345a4879

  • SHA512

    655d9b8443bbe2839dcfa528ded7221601231cc5dc26163053b23f4da3e7272487dc4e356b9ed0049f72ba07d44e6aa80976e8a7af1c1a1901f5e91cc3c02f0b

  • SSDEEP

    6144:pvNBeovchyk0XlnRkXLvocjg85IYwV071zOxzMN2l3vxF4chmQRXjSxLMHXeDhMv:xpUyk01m/jg8i0QNM+vjzRXjose1w

Score
10/10
agentteslawshratcollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Family

wshrat

C2

http://45.90.222.125:7121

Targets

    • Target

      ce5bd1aa52f3f77592e112958dbaea837cadf8acd005602006dce7a7c59a464c.js

    • Size

      2.5MB

    • MD5

      9175b77d9dc057654b1e8a250bbbac32

    • SHA1

      f87919ed7bbc44e3d7e144f5a6a4fa98b977902f

    • SHA256

      ce5bd1aa52f3f77592e112958dbaea837cadf8acd005602006dce7a7c59a464c

    • SHA512

      06390f1b79616996c17e22ace3daab0cae0f92ee160b44f5ee2d3aa0b2a659879ea964650e6f2603b0677881e30cc2d2ce8c88d83c22dc91a33de17174dd9ec0

    • SSDEEP

      6144:sSsZijs7CVe6HBDjrgS+I+fnTSsw4JQtEL9bs+VcuM2dW9otXdxLb3x/vKAOaGAI:fHa+MDq

    Score
    10/10
    agentteslawshratcollectionkeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

      trojanwshrat

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks