Overview

overview

10

Static

static

1

NewOrder.vbs

windows7-x64

10

NewOrder.vbs

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    NewOrder.vbs

  • Size

    132KB

  • Sample

    230206-lc2m4agd6v

  • MD5

    a2b56b456dab2c7ea6e07bdaf0be06f6

  • SHA1

    942931bbaa2568824208c4d3abbb8ab1b9e9579f

  • SHA256

    87a850093290a5a1cb984c05986abaaea4b135370e892c75b369a37273021bcc

  • SHA512

    d853f43575bbd90c5d674f581af2ea021a6355cff8401d729ca01c96950b6a1b76207fd87d0997c07dc15e1295feab995c144099e2ae475875c5029f5b5b4b44

  • SSDEEP

    3072:vTHJmOSfNKUTvt3UXHRTjwaYxgLKyaJLjQQwMBF+8n8YGYiw1Nbr:vTcDf0+axTE9CKrQQwmOYfH

Score
10/10
agentteslaguloaderdownloaderkeyloggerspywarestealertrojan

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://megookbpnq.cf/herpetici.afm

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.valvulasthermovalve.cl
  • Port:
    21
  • Username:
    cva19491@valvulasthermovalve.cl
  • Password:
    LILKOOLL14!!

Targets

    • Target

      NewOrder.vbs

    • Size

      132KB

    • MD5

      a2b56b456dab2c7ea6e07bdaf0be06f6

    • SHA1

      942931bbaa2568824208c4d3abbb8ab1b9e9579f

    • SHA256

      87a850093290a5a1cb984c05986abaaea4b135370e892c75b369a37273021bcc

    • SHA512

      d853f43575bbd90c5d674f581af2ea021a6355cff8401d729ca01c96950b6a1b76207fd87d0997c07dc15e1295feab995c144099e2ae475875c5029f5b5b4b44

    • SSDEEP

      3072:vTHJmOSfNKUTvt3UXHRTjwaYxgLKyaJLjQQwMBF+8n8YGYiw1Nbr:vTcDf0+axTE9CKrQQwmOYfH

    Score
    10/10
    agentteslaguloaderdownloaderkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Blocklisted process makes network request

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1
T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks