General
-
Target
ORDER.zip
-
Size
622KB
-
Sample
221129-qms6xscg26
-
MD5
f56ccf4b84bc0732b56545eefca3904b
-
SHA1
22e560d81653639eeceae3c70c7d9d20bb3ece53
-
SHA256
9a043bd948d548987387308beecb6012d061828d1095e67c632a67f6bc1dd5fb
-
SHA512
687ca69e7fadda1f857460abe35c6f6aa9b16f2e05db51e84ee150da1b8a28df9bdccee1a6504a96da7198a51831ddca88bf5f6deedacdf752ea1df8ed4b9243
-
SSDEEP
12288:19p6YUAfeB710xKwKks/YZ9mIapoL4wn6O/ceami5desezCDsLKgF:96YUVB7MKw7s/e9vWonoF5dde/3
Static task
static1
Behavioral task
behavioral1
Sample
ORDER.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
ORDER.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.southernboilers.org - Port:
587 - Username:
info@southernboilers.org - Password:
Sksmoke2018# - Email To:
obtxxxtf@gmail.com
Targets
-
-
Target
ORDER.exe
-
Size
783KB
-
MD5
effa64d665cc881b80faefb053896c75
-
SHA1
314ae8a3bfbbae37b92ab9c1d4e72a2f3ba77959
-
SHA256
9d6b6913c2b8b1084f4177076c9c2b759ce8a903bc7baf1b1c0ef3bf5635c361
-
SHA512
8edb0d1298146e744847cc4efafcce3da52859b3beef6d8e3ca15049188abab93f1fb7c097cae4515d2faca29662d57fb7c3dbb5a9be8c9fadd89bdb38c15fc7
-
SSDEEP
24576:QivLGVB70aw1s/U97WopiNc9/LkInstI:+VB70aw1u8piN0/LMt
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-