General
-
Target
97555d7e571b4addb2ab934b2eced757f7115dcff6eb95c7f5c34a937e7cc203
-
Size
419KB
-
Sample
220521-cyvbgaefg6
-
MD5
9ee193ee2d03542d33edccb00dfdd575
-
SHA1
9ac99d0edf9b6f4640af30d2ec18fdc24507e9f5
-
SHA256
97555d7e571b4addb2ab934b2eced757f7115dcff6eb95c7f5c34a937e7cc203
-
SHA512
c81d56e3f000df2898a2f14bf25ea727b80ffd7fd5e5fc90237d1c9316e17f7dd8d24ea940704ca1659114c3115e5e4a5a03b37b2ab5ea16ceeecb37e39e425c
Static task
static1
Behavioral task
behavioral1
Sample
NEWORDER.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
NEWORDER.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
[email protected] - Password:
!9aT1sz8?9SqN
Extracted
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
[email protected] - Password:
!9aT1sz8?9SqN
Targets
-
-
Target
NEWORDER.exe
-
Size
520KB
-
MD5
45b310ef34503c296061ad6e468b3d6e
-
SHA1
e1f41506b13003ba7e6e2154c5a731a3d6c4a6ef
-
SHA256
216c6b02a878dd3c0e20e476bcbb0e74a6d0841587118eda96ab3bc620d85d1f
-
SHA512
e8d4caeb5c46220b238fd3f638fac9e52dfdcf5bfab65493b26f132432bc25af8ddfbcd69d8db812293c831d1eb92babb29766036eced9e740c30446171ed323
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
AgentTesla Payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-