Overview

overview

10

Static

static

1

Enquiry-Dubai.js

windows7-x64

10

Enquiry-Dubai.js

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Enquiry-Dubai.js

  • Size

    239KB

  • Sample

    241120-3egt5swjbw

  • MD5

    05f7c478f947dee826a7163e024ebf84

  • SHA1

    bfdee493d4b9e4b218bce16128163b66b36abb4b

  • SHA256

    e3061de8d38aee7575d7a5c5b169563af5d3b61568ca9f65d49dbadc20e6f0c9

  • SHA512

    6b0a15b1b7d3b113062b959007411bb1c7e09f00dd00df588add8be1d828aadfa224f931fcb08ed72525e42c0c46689a4e497fc55b7a1de7ebeae35b78f3fa7d

  • SSDEEP

    6144:4HH6v3suAkikHH6v3sY7HH6v3suAkikHH6v3sy:yH6vLAqH6vvH6vLAqH6vX

Score
10/10
agenttesladiscoveryexecutionkeyloggerspywarestealertrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

exe.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.detarcoopmedical.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    To$zL%?nhDHN

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      Enquiry-Dubai.js

    • Size

      239KB

    • MD5

      05f7c478f947dee826a7163e024ebf84

    • SHA1

      bfdee493d4b9e4b218bce16128163b66b36abb4b

    • SHA256

      e3061de8d38aee7575d7a5c5b169563af5d3b61568ca9f65d49dbadc20e6f0c9

    • SHA512

      6b0a15b1b7d3b113062b959007411bb1c7e09f00dd00df588add8be1d828aadfa224f931fcb08ed72525e42c0c46689a4e497fc55b7a1de7ebeae35b78f3fa7d

    • SSDEEP

      6144:4HH6v3suAkikHH6v3sY7HH6v3suAkikHH6v3sy:yH6vLAqH6vvH6vLAqH6vX

    Score
    10/10
    executionagenttesladiscoverykeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Agenttesla family

      agenttesla

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks