879fa7f8b4bff5ac3937d842473a06c94d8806793d0ed4c6649355f3b62f2719 | Triage

Sharing

General

Target

19092024_0649_Purchase Order.js.zip
Size

240KB
Sample

240919-hlh1kawdkq
MD5

deefd47743e3937610c94d238aa00f60
SHA1

050927554986513ec5cfb64856fbe01b95818865
SHA256

879fa7f8b4bff5ac3937d842473a06c94d8806793d0ed4c6649355f3b62f2719
SHA512

9c1ee33489ace14b082ae31012655ef9924e7293cb38cc9e57fc75751ac269e183f60d5972933dc61495105b77b69f1b2526dd57d7e466b9d65559215bfd8629
SSDEEP

3072:rLT3HnQg9Chulittrt0EvEw3FwyUXHEHr3x3oDQyIbZmrUUv4dSocLrEZaitEWwI:rLTwhulMD07w3nUXaxFPsVIaTjkhHX

Score

10^/10

collection credential_access discovery execution persistence privilege_escalation stealer

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://ia904601.us.archive.org/6/items/detah-note-j/DetahNoteJ.txt

exe.dropper

https://ia904601.us.archive.org/6/items/detah-note-j/DetahNoteJ.txt

Targets

- Target
  
  Purchase Order.js
- Size
  
  602KB
- MD5
  
  c23145032eb9417255ffe33e719afaf2
- SHA1
  
  b0a2b6174179ef5d05489253802030b4fda20165
- SHA256
  
  61f366924b6047fc1edf5494e19322990fcd3544641cdf26c63d893116a712ee
- SHA512
  
  fcb72da665866518fac8a02081cda1fa988aa47c8dc4ec25fe18063637117c7c693de71a2914eefbb89431fcf964857e07fdfce5cb6bf8a5f4919951e8f9835e
- SSDEEP
  
  12288:L0jCPxgfEU+BG/njP9Rc8AfSeh/xxvLmKiinJ/9xuaRZb7bIsDvZX9i4Mw61uBKW:nsbdc52Gz/SkD9
Score

10^/10

execution collection credential_access discovery persistence privilege_escalation stealer
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

JavaScript

PowerShell

Persistence

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Wi-Fi Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

collectioncredential_accessdiscoveryexecutionpersistenceprivilege_escalationstealer