General
-
Target
a4d16713a50b55dd68445c0d6407d67542b37eaf93efb9ff09ec435fb198848d
-
Size
408KB
-
Sample
220521-bqn9tacce8
-
MD5
71bde3ed483c85c43f62b152c19f576b
-
SHA1
978457adb3b855cf936e2c9765219f916bc655c9
-
SHA256
a4d16713a50b55dd68445c0d6407d67542b37eaf93efb9ff09ec435fb198848d
-
SHA512
35ba3439e331ef2dc29a2906222d0eeb4d4e756c8dd0ca01b1b6c2b8d5e3eb11e13084c7db98dae97e28c9838555c7c5bd112ed4a265d49267db2e4355c3f81c
Static task
static1
Behavioral task
behavioral1
Sample
New Order.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
New Order.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.fakly-cambodia.com - Port:
587 - Username:
[email protected] - Password:
Mmhh#2014
Extracted
Protocol: smtp- Host:
mail.fakly-cambodia.com - Port:
587 - Username:
[email protected] - Password:
Mmhh#2014
Targets
-
-
Target
New Order.exe
-
Size
459KB
-
MD5
0081ac0ee3f00f61e44cf7f127fd7d09
-
SHA1
cce72d90b240c678d87be6b21eb64ed72af7c8c1
-
SHA256
3b82d291e2fb62eac9616a46f75733d77f8d6287dfc54d834d60418cef7f717f
-
SHA512
427cfa24355d8a411b08897f3de0d8f88b79aa185d0fa654e0fa7ae1f13c14b67ea3403e8ad8436fc9f8ab1b2360335d18fbb26f0a0a9f70a3233cc942a49718
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
AgentTesla Payload
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-