General

  • Target

    REF DOCUMENTS.js

  • Size

    30KB

  • Sample

    240916-rl9myssana

  • MD5

    86185d6d160eabe88692b9dbf3ff3e71

  • SHA1

    66cf746399849a72487a7ce9f8dd652d982a72bd

  • SHA256

    af448bd9c6a6315bfa00b0301e57545cffe8ed75d30fbd18fdbd4cec606283b7

  • SHA512

    15da27ecca298442aded5ad4a5a45522880013e7f9906d386167b27ad9439d08ecafdfd6c3de638bc3719d46d89f45116cf560772db11d3aae420cfbf059bd3e

  • SSDEEP

    768:OVWm9aFqK2YmaQ4Vg4vf4bQuvAsBvPquk6Q:Omkk6Q

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      REF DOCUMENTS.js

    • Size

      30KB

    • MD5

      86185d6d160eabe88692b9dbf3ff3e71

    • SHA1

      66cf746399849a72487a7ce9f8dd652d982a72bd

    • SHA256

      af448bd9c6a6315bfa00b0301e57545cffe8ed75d30fbd18fdbd4cec606283b7

    • SHA512

      15da27ecca298442aded5ad4a5a45522880013e7f9906d386167b27ad9439d08ecafdfd6c3de638bc3719d46d89f45116cf560772db11d3aae420cfbf059bd3e

    • SSDEEP

      768:OVWm9aFqK2YmaQ4Vg4vf4bQuvAsBvPquk6Q:Omkk6Q

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks