9953c57867a87d6d545da17a94580d567c4193ab28b70de8dd9ac253f11e2969 | Triage

Sharing

General

Target

200920241419PURCHASEORDER.js.gz
Size

119KB
Sample

240920-wwfvvazhrn
MD5

569eb1f38f3858c9af458dc3269abd3a
SHA1

c1b7928a95abdef871e4d8ae244c53405ef9dbff
SHA256

9953c57867a87d6d545da17a94580d567c4193ab28b70de8dd9ac253f11e2969
SHA512

1f24b2a296d1d09c0759edb9e86efe2f73ad38d0c80ddd2f56ba8255d5190972e939d67dbbcd513adde03da1d150028818b8070d2b5938448d64887f31a4d3fd
SSDEEP

3072:anS1QMQ4zRjorh3WzPJUti+mHGQJLGFvI2P:MSJKGzPmtZm/QFRP

Score

10^/10

collection credential_access discovery execution persistence privilege_escalation stealer

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://ia904601.us.archive.org/6/items/detah-note-j/DetahNoteJ.txt

exe.dropper

https://ia904601.us.archive.org/6/items/detah-note-j/DetahNoteJ.txt

Targets

- Target
  
  PURCHASE ORDER.js
- Size
  
  319KB
- MD5
  
  e8114157714655fdbc7b51cde4f676de
- SHA1
  
  c23a2b3c76b2b7927f64cf74c3cf75b408a629e4
- SHA256
  
  d20d1cb56afa7818be3b26074bed7eae73e5480a5a8e0add5384bc9eddbc333d
- SHA512
  
  9f33a77504f56f4b0bce859d3b61f81cf3496a00d6cfd3aaef708f700149c72f1fb009f15e720a59b013a443c15b3c68a621358c624138b72f3409db53692c8b
- SSDEEP
  
  6144:1m06WlUzat6poIKNrZUG8IyWwmRn+CvA1HPucBzprZa8qYlVLY8/1PcKpOu4:w06WF6poIKN9UGDykRn+gA1HPu4zpNar
Score

10^/10

execution collection credential_access discovery persistence privilege_escalation stealer
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

JavaScript

PowerShell

Persistence

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Wi-Fi Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

collectioncredential_accessdiscoveryexecutionpersistenceprivilege_escalationstealer