General
-
Target
New Order.exe
-
Size
859KB
-
Sample
210727-xryszle7g2
-
MD5
b8e5a84cef79a45bb1d32eae8cfefb0e
-
SHA1
4f54310299013d1fd52c0f8e1640487393a5ee9d
-
SHA256
fad8c5931f0dd3fbd63fe0a0e2d6799edf4004ed20a9afebbcd54cfabb5595fd
-
SHA512
dce3c04a834e63019004a9aa76c7815c446d648e96c517a14c5604e7ad4e0e1efa35feb358484fbc89e59f88880be74de64b99c8c61bc6a4903ee1cbe907afbc
Static task
static1
Behavioral task
behavioral1
Sample
New Order.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
New Order.exe
Resource
win10v20210410
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.alruomigroup.com - Port:
587 - Username:
eepauloffice@alruomigroup.com - Password:
HpabZXh7
Targets
-
-
Target
New Order.exe
-
Size
859KB
-
MD5
b8e5a84cef79a45bb1d32eae8cfefb0e
-
SHA1
4f54310299013d1fd52c0f8e1640487393a5ee9d
-
SHA256
fad8c5931f0dd3fbd63fe0a0e2d6799edf4004ed20a9afebbcd54cfabb5595fd
-
SHA512
dce3c04a834e63019004a9aa76c7815c446d648e96c517a14c5604e7ad4e0e1efa35feb358484fbc89e59f88880be74de64b99c8c61bc6a4903ee1cbe907afbc
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-