General

  • Target

    Enquiry.js

  • Size

    600KB

  • Sample

    240910-fgz26sygnh

  • MD5

    e4ebbd53baeef25a609ca99d02597894

  • SHA1

    2e58262341e25658a58998e0e5e777b945794d3f

  • SHA256

    821b835cf408ed1749ad5723447b414e84cf453af621230e3dcb01f7be6a2495

  • SHA512

    47188f531a25376b0d9c5067f456099eb769b44a1a7600c0d174bff541efc53054b88905be310f4bdcf0cc69707185e066ab1e51cafe2b0ad332e2ef512f6e6a

  • SSDEEP

    12288:qlOnKcIIFOk6bVv2YpLuqACRkfJjdiHUTYmjikyFGjVxleUYt5SvXEdq9GAnXPof:8nuVOkeoiNX+Wf

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg

exe.dropper

https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.detarcoopmedical.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    To$zL%?nhDHN

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      Enquiry.js

    • Size

      600KB

    • MD5

      e4ebbd53baeef25a609ca99d02597894

    • SHA1

      2e58262341e25658a58998e0e5e777b945794d3f

    • SHA256

      821b835cf408ed1749ad5723447b414e84cf453af621230e3dcb01f7be6a2495

    • SHA512

      47188f531a25376b0d9c5067f456099eb769b44a1a7600c0d174bff541efc53054b88905be310f4bdcf0cc69707185e066ab1e51cafe2b0ad332e2ef512f6e6a

    • SSDEEP

      12288:qlOnKcIIFOk6bVv2YpLuqACRkfJjdiHUTYmjikyFGjVxleUYt5SvXEdq9GAnXPof:8nuVOkeoiNX+Wf

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks