General
-
Target
NEWORDER.exe
-
Size
408KB
-
Sample
201109-nkhe3qh78n
-
MD5
b0506b5cb266ea0b26a3a96734b74a98
-
SHA1
64cae8138f8192c0a6a54ce7ef7044a5edce6dc7
-
SHA256
3e0a789cc12973067922e99e9c1553170ec89449e93a7e9d61966959d7892abb
-
SHA512
431c555910ec52d2ce5a8033ac1a19f08e23bba3117cc3c9ef72b57cafd9b6f910cf144c31170c5305793aa6ca9a880b72658dee1bb665ea73d9f715dc1c6245
Static task
static1
Behavioral task
behavioral1
Sample
NEWORDER.exe
Resource
win7v20201028
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.cleanprolaundryparts.com/ - Port:
21 - Username:
abs001@cleanprolaundryparts.com - Password:
.ID5OT57T}BQ
Protocol: ftp- Host:
ftp://ftp.cleanprolaundryparts.com/ - Port:
21 - Username:
abs001@cleanprolaundryparts.com - Password:
.ID5OT57T}BQ
Extracted
Protocol: ftp- Host:
ftp.cleanprolaundryparts.com - Port:
21 - Username:
abs001@cleanprolaundryparts.com - Password:
.ID5OT57T}BQ
Targets
-
-
Target
NEWORDER.exe
-
Size
408KB
-
MD5
b0506b5cb266ea0b26a3a96734b74a98
-
SHA1
64cae8138f8192c0a6a54ce7ef7044a5edce6dc7
-
SHA256
3e0a789cc12973067922e99e9c1553170ec89449e93a7e9d61966959d7892abb
-
SHA512
431c555910ec52d2ce5a8033ac1a19f08e23bba3117cc3c9ef72b57cafd9b6f910cf144c31170c5305793aa6ca9a880b72658dee1bb665ea73d9f715dc1c6245
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext
-