General

  • Target

    19092024_0651_TECHNICAL SHEET.js.gz

  • Size

    233KB

  • Sample

    240919-hmw9kswbqb

  • MD5

    37bd3b069fc1f382d10647615eb8f13a

  • SHA1

    dfcc3ba844ea373e8d98db71255d534590d49dfa

  • SHA256

    37aa5d5a613a910eb3baabd1e8a5c799d6585b7e267b6c5fc984392daf05d7cb

  • SHA512

    bcf8fb91460bd208320e2274b4ffb5cfe9020933e583ba3bb4bc1b396b3965cd5405392627966a75b1faf3dbccb940f5c870fd82ac9714aaf4610577f4f3927e

  • SSDEEP

    6144:SahkIF+S4Egs6lQsSzbMsq+Kk7vl0Rk37aoAYCFq:SI0SvsZS/Mz+KkGqtAVq

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://ia904601.us.archive.org/6/items/detah-note-j/DetahNoteJ.txt

exe.dropper

https://ia904601.us.archive.org/6/items/detah-note-j/DetahNoteJ.txt

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.detarcoopmedical.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    To$zL%?nhDHN

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      TECHNICAL SHEET.js

    • Size

      601KB

    • MD5

      1209aa3c1e362933feb8865c34f2a4ee

    • SHA1

      91d4969e93f600480f20399fc2343448dadd8526

    • SHA256

      5887f2482c2d989943b76bb2c63d4809e019e6a993e60b66d776132503658f7d

    • SHA512

      4ee970984f0550f75b6f56102181a439f8428735c3ea3b0716d3fdbb1c60fa4e5a8350aa45f544e1a8cf368597819949df67c56657e5594561b86a941236b695

    • SSDEEP

      12288:HZhY3S3w+Z45JZ+3fUqHwiPAlpIyvvQ54UBPOX8a1Gepxfa+rjuCi5oKjXdbdOv1:fYi3PGLx3USi5UwwB

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks