Overview

overview

10

Static

static

NEW_ORDE.exe

windows7_x64

10

NEW_ORDE.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    94e91ad6b157ff4b58f751649473fce3c7cd77e2b402e9be5e562ad57c65d72f

  • Size

    1.2MB

  • Sample

    220521-b1py4acgg4

  • MD5

    56b5d92336b44befa1d56d2e6d444693

  • SHA1

    cd947ba8314e74ad70b4e1b604327aa1b610a3bf

  • SHA256

    94e91ad6b157ff4b58f751649473fce3c7cd77e2b402e9be5e562ad57c65d72f

  • SHA512

    af682d27bcb2219d9ba835fdb6c7146a13060244daa0f595b65b65ff9144ffb9981a981a0e5cc824f2289f57d7e5ea55530ae299c52860c2523c3f29870cad4d

Score
10/10
agentteslacollectionkeyloggerrezer0spywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.orientalkuwait.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Operatingmanager1&

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.orientalkuwait.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Operatingmanager1&

Targets

    • Target

      NEW_ORDE.PIF

    • Size

      407KB

    • MD5

      5cac1e716627b5caea7e65c9f52afa59

    • SHA1

      0d0407e5a5949d4413ad30521a2c312f3afd509c

    • SHA256

      63e22190be3afdf47f1f752c5a112347410849f3dccd0f0a7319dc8e6a405b39

    • SHA512

      7cc910c403c6d2005e58ed080a16b694a0ed8744242fde39e52b999de241c0a71b483bc990604971fb2898fba74c43a3d4f3e61784a74b03b4f679679f931f0d

    Score
    10/10
    agentteslacollectionkeyloggerrezer0spywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

      rezer0

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks