General
-
Target
4224d59d78ac65af0eab5882b25156ac12201c08d8c8068762f83f05fe96c8db
-
Size
560KB
-
Sample
220520-2jxkqaaedn
-
MD5
930fe6adeb36288620913111baf1ecf6
-
SHA1
f0eed41767b839a239d7a9b26716fcffa0505e36
-
SHA256
4224d59d78ac65af0eab5882b25156ac12201c08d8c8068762f83f05fe96c8db
-
SHA512
1bf7cd9383e05cb332d9cd46d31ed6ca3a74105d937f6ce8f42881f6c4cdd22c335ff4ef5ab5d09f31463bb0da69f552ae8e3ec24ae41c79c42ff10edb61a22b
Static task
static1
Behavioral task
behavioral1
Sample
New Order.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
New Order.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.kemyo.lk - Port:
587 - Username:
[email protected] - Password:
YWNZL%x)7o6r(^nPeV5qsQy^
Targets
-
-
Target
New Order.exe
-
Size
595KB
-
MD5
12bff32155a20c5bb19a5b382ab8d8e9
-
SHA1
422528c91aeaa66cfc71ebc095e6a69277365156
-
SHA256
117ef07f45b0916e5d43168f52a5efbb756947d6aadd3389293adba4309ddc89
-
SHA512
51ea1708947bbf746c917bbead8fcc31890b9419eec8c74a49474c7afff1d7c201e3f0b5f4ce458d1b4cadb40f15a88f70c09e34b04976840f114dfda628515d
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-