General

  • Target

    Enquiry.js

  • Size

    225KB

  • Sample

    241129-pygftswkf1

  • MD5

    90480a98c3f20658dcc43fa6db7bd562

  • SHA1

    1a379838129904188cd08ffe9c645a5daba3bea5

  • SHA256

    7c9332df56fc0061fc832475af43d1c94636a5f8710011b3952dc98716f20899

  • SHA512

    05f8c16e4ec8af3939a7fea5b8e4adde852ba00e5b0513aedaad7afeaf556741094fff75681bdbe070e3de62fc9f3c76939271c004a4bf308e38ea20126b611d

  • SSDEEP

    6144:C2KZgSq+QdBA5gC/2KZgSq+QdR2KZgSq+QdBA5gC/2KZgSq+Qdt:C2KZgSq+QdBA5gC/2KZgSq+QdR2KZgSm

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

https://1016.filemail.com/api/file/get?filekey=0RUgbZ-8FbUsLkmTHKk7vmioQRpHGD8qVMkgf-v_Yna_Wu4TdrJepse70JUd-j9UMfry&pk_vid=e0109638c9bfb9571732794374a1ff6c

exe.dropper

https://1016.filemail.com/api/file/get?filekey=0RUgbZ-8FbUsLkmTHKk7vmioQRpHGD8qVMkgf-v_Yna_Wu4TdrJepse70JUd-j9UMfry&pk_vid=e0109638c9bfb9571732794374a1ff6c

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.detarcoopmedical.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    To$zL%?nhDHN

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      Enquiry.js

    • Size

      225KB

    • MD5

      90480a98c3f20658dcc43fa6db7bd562

    • SHA1

      1a379838129904188cd08ffe9c645a5daba3bea5

    • SHA256

      7c9332df56fc0061fc832475af43d1c94636a5f8710011b3952dc98716f20899

    • SHA512

      05f8c16e4ec8af3939a7fea5b8e4adde852ba00e5b0513aedaad7afeaf556741094fff75681bdbe070e3de62fc9f3c76939271c004a4bf308e38ea20126b611d

    • SSDEEP

      6144:C2KZgSq+QdBA5gC/2KZgSq+QdR2KZgSq+QdBA5gC/2KZgSq+Qdt:C2KZgSq+QdBA5gC/2KZgSq+QdR2KZgSm

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Agenttesla family

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks