General

  • Target

    ff9217b4b482b604d5c89e9c8418a627fca4ad739cdc62d3f17da48aceaff19b.js

  • Size

    1KB

  • Sample

    240610-nkbgzsgh9z

  • MD5

    b0ce1ca2c611fe78fae0b7d46feb25c5

  • SHA1

    739448dbaa22c6d1f3b12b688faaf99604bd1ca4

  • SHA256

    ff9217b4b482b604d5c89e9c8418a627fca4ad739cdc62d3f17da48aceaff19b

  • SHA512

    a85227207b00a5697756c02b5ad31fac5344688f0b41dd703ed6d40f32adeea724b6f63e7ee25738089aadf79aac207e0de800eecb83bb6ae0a17d51a406703b

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      ff9217b4b482b604d5c89e9c8418a627fca4ad739cdc62d3f17da48aceaff19b.js

    • Size

      1KB

    • MD5

      b0ce1ca2c611fe78fae0b7d46feb25c5

    • SHA1

      739448dbaa22c6d1f3b12b688faaf99604bd1ca4

    • SHA256

      ff9217b4b482b604d5c89e9c8418a627fca4ad739cdc62d3f17da48aceaff19b

    • SHA512

      a85227207b00a5697756c02b5ad31fac5344688f0b41dd703ed6d40f32adeea724b6f63e7ee25738089aadf79aac207e0de800eecb83bb6ae0a17d51a406703b

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks