General
-
Target
Enquiry.js
-
Size
225KB
-
Sample
241129-p1bclawlfz
-
MD5
90480a98c3f20658dcc43fa6db7bd562
-
SHA1
1a379838129904188cd08ffe9c645a5daba3bea5
-
SHA256
7c9332df56fc0061fc832475af43d1c94636a5f8710011b3952dc98716f20899
-
SHA512
05f8c16e4ec8af3939a7fea5b8e4adde852ba00e5b0513aedaad7afeaf556741094fff75681bdbe070e3de62fc9f3c76939271c004a4bf308e38ea20126b611d
-
SSDEEP
6144:C2KZgSq+QdBA5gC/2KZgSq+QdR2KZgSq+QdBA5gC/2KZgSq+Qdt:C2KZgSq+QdBA5gC/2KZgSq+QdR2KZgSm
Malware Config
Extracted
https://1016.filemail.com/api/file/get?filekey=0RUgbZ-8FbUsLkmTHKk7vmioQRpHGD8qVMkgf-v_Yna_Wu4TdrJepse70JUd-j9UMfry&pk_vid=e0109638c9bfb9571732794374a1ff6c
https://1016.filemail.com/api/file/get?filekey=0RUgbZ-8FbUsLkmTHKk7vmioQRpHGD8qVMkgf-v_Yna_Wu4TdrJepse70JUd-j9UMfry&pk_vid=e0109638c9bfb9571732794374a1ff6c
Extracted
Protocol: smtp- Host:
mail.detarcoopmedical.com - Port:
587 - Username:
[email protected] - Password:
To$zL%?nhDHN
Extracted
agenttesla
Protocol: smtp- Host:
mail.detarcoopmedical.com - Port:
587 - Username:
[email protected] - Password:
To$zL%?nhDHN - Email To:
[email protected]
Targets
-
-
Target
Enquiry.js
-
Size
225KB
-
MD5
90480a98c3f20658dcc43fa6db7bd562
-
SHA1
1a379838129904188cd08ffe9c645a5daba3bea5
-
SHA256
7c9332df56fc0061fc832475af43d1c94636a5f8710011b3952dc98716f20899
-
SHA512
05f8c16e4ec8af3939a7fea5b8e4adde852ba00e5b0513aedaad7afeaf556741094fff75681bdbe070e3de62fc9f3c76939271c004a4bf308e38ea20126b611d
-
SSDEEP
6144:C2KZgSq+QdBA5gC/2KZgSq+QdR2KZgSq+QdBA5gC/2KZgSq+Qdt:C2KZgSq+QdBA5gC/2KZgSq+QdR2KZgSm
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-