General
-
Target
Purchase Order No. 4500017624.js
-
Size
133KB
-
Sample
241012-hdgsjasgkk
-
MD5
75620fc98dd7d233cd0aa29c32cf9d44
-
SHA1
27601368bea910a9e9af5685a2d746397e9fbf75
-
SHA256
3696b50af7b213dbb488178e4202096f3efc1e0c9f6f3b8d48e47799d49537f6
-
SHA512
5db62a0f483a14c7f05e58a3725db887e09c6326ff34e927258f73350156f7241ee6ea9222e5aae03ce14bc0934644044e83e74111e9c78d35817a0a5dee8ea7
-
SSDEEP
3072:3PQ4Hk0LdPdossHOLxD8i5inyBLPqZBC9Tf5PQ4Hk0LdPH:YUdPdljTfiUdPH
Malware Config
Extracted
https://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/refs/heads/main/DetahNote_J.jpg%20
https://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/refs/heads/main/DetahNote_J.jpg%20
Extracted
Protocol: smtp- Host:
mail.ctdi.com.ph - Port:
587 - Username:
[email protected] - Password:
A#f+Y]H8iO4a
Extracted
agenttesla
Protocol: smtp- Host:
mail.ctdi.com.ph - Port:
587 - Username:
[email protected] - Password:
A#f+Y]H8iO4a - Email To:
[email protected]
Targets
-
-
Target
Purchase Order No. 4500017624.js
-
Size
133KB
-
MD5
75620fc98dd7d233cd0aa29c32cf9d44
-
SHA1
27601368bea910a9e9af5685a2d746397e9fbf75
-
SHA256
3696b50af7b213dbb488178e4202096f3efc1e0c9f6f3b8d48e47799d49537f6
-
SHA512
5db62a0f483a14c7f05e58a3725db887e09c6326ff34e927258f73350156f7241ee6ea9222e5aae03ce14bc0934644044e83e74111e9c78d35817a0a5dee8ea7
-
SSDEEP
3072:3PQ4Hk0LdPdossHOLxD8i5inyBLPqZBC9Tf5PQ4Hk0LdPH:YUdPdljTfiUdPH
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-