General
-
Target
NewOrder.vbs
-
Size
132KB
-
Sample
230206-lc2m4agd6v
-
MD5
a2b56b456dab2c7ea6e07bdaf0be06f6
-
SHA1
942931bbaa2568824208c4d3abbb8ab1b9e9579f
-
SHA256
87a850093290a5a1cb984c05986abaaea4b135370e892c75b369a37273021bcc
-
SHA512
d853f43575bbd90c5d674f581af2ea021a6355cff8401d729ca01c96950b6a1b76207fd87d0997c07dc15e1295feab995c144099e2ae475875c5029f5b5b4b44
-
SSDEEP
3072:vTHJmOSfNKUTvt3UXHRTjwaYxgLKyaJLjQQwMBF+8n8YGYiw1Nbr:vTcDf0+axTE9CKrQQwmOYfH
Static task
static1
Behavioral task
behavioral1
Sample
NewOrder.vbs
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
NewOrder.vbs
Resource
win10v2004-20221111-en
Malware Config
Extracted
https://megookbpnq.cf/herpetici.afm
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.valvulasthermovalve.cl - Port:
21 - Username:
cva19491@valvulasthermovalve.cl - Password:
LILKOOLL14!!
Targets
-
-
Target
NewOrder.vbs
-
Size
132KB
-
MD5
a2b56b456dab2c7ea6e07bdaf0be06f6
-
SHA1
942931bbaa2568824208c4d3abbb8ab1b9e9579f
-
SHA256
87a850093290a5a1cb984c05986abaaea4b135370e892c75b369a37273021bcc
-
SHA512
d853f43575bbd90c5d674f581af2ea021a6355cff8401d729ca01c96950b6a1b76207fd87d0997c07dc15e1295feab995c144099e2ae475875c5029f5b5b4b44
-
SSDEEP
3072:vTHJmOSfNKUTvt3UXHRTjwaYxgLKyaJLjQQwMBF+8n8YGYiw1Nbr:vTcDf0+axTE9CKrQQwmOYfH
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-