General
-
Target
nORDER_PO.IMG
-
Size
1.2MB
-
Sample
230330-n8vwjace78
-
MD5
e791286741e84294768f0e7aa638dd30
-
SHA1
b18fa167a57fe39d9b0a92792c7223c69fae9a17
-
SHA256
7fa315da449b28029d277ddd4a5568664f52f56ad234d6f43949533e9d4a6e6c
-
SHA512
745c812bea28248036e201ce22a278f87a2036a5a0692071abbbf8405a5978458d16ce288e6c65eec5220afcf48d9f9a7d0f26e5eee4229060bed4793394ab39
-
SSDEEP
24576:Sb3yVAYp4DS9qw/jE9cPi9Dt8nw2fOEevimX:SDyNpDqw/jETDt8nRmE
Static task
static1
Behavioral task
behavioral1
Sample
ORDER_PO.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
ORDER_PO.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.ardsmmm.com - Port:
587 - Username:
[email protected] - Password:
Ard2015** - Email To:
[email protected]
Targets
-
-
Target
ORDER_PO.EXE
-
Size
675KB
-
MD5
6b086fd896d82d0707ac4fa29eee1569
-
SHA1
ef66a56b2910aaa72c91310151d93fe8a2ca9738
-
SHA256
8065d7457588be9190ebc01cc9a6f42ba2e63eaeaa2157b6525f0a186548da00
-
SHA512
2ad7685609102f09b0829ed7d56df238b6230e341c98bb2d17c56f45ed9e19c770d7e744fa139ecc2c6415aa10dfed6e14a64c6ad8a862d81ace9fb1247fd269
-
SSDEEP
12288:a442y8kGK3yVAID28p4DJGOA9kHwC5ojE9cPPqyCDXZP8nwH0q+TXLOfsevimOMM:Qb3yVAYp4DS9qw/jE9cPi9Dt8nw2fOEW
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-