General
-
Target
dae5d5b4b99ed5d0e40782475cfad8dc672e9006735615af667e8de62b26cb9e
-
Size
652KB
-
Sample
240327-bk36sabf8z
-
MD5
12736d854254377dd191741691dced18
-
SHA1
60a98679d8d0c6dd2e8de9fc316bd7a1df6671d5
-
SHA256
dae5d5b4b99ed5d0e40782475cfad8dc672e9006735615af667e8de62b26cb9e
-
SHA512
5323b0a044b3ec4a6d52886d359b21418038587d066170e499e9053471aa81f5d388e3eb6745e85bc7f8e10eae65c60bed49679ca63bda08a9f8c06562ef6030
-
SSDEEP
12288:yVju4e3xdVvv1me+/kdxNvOYsgvcxdX5R3eIsZgp007RnEUPC0kD0GA4xM:yVy4y9vsqdxNG/g039lq7xM
Static task
static1
Behavioral task
behavioral1
Sample
NewOrder4567.exe
Resource
win7-20240319-en
Behavioral task
behavioral2
Sample
NewOrder4567.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.denvaco.info - Port:
587 - Username:
[email protected] - Password:
vwta.M,AH}Gq - Email To:
[email protected]
Targets
-
-
Target
NewOrder4567.exe
-
Size
729KB
-
MD5
334706ee1809fb91b773e31a83421a6f
-
SHA1
5d9ce7cbfaf669f201cefec925abcfe74b279eed
-
SHA256
fd675370ab1863be41ca596f88338c578f0c1f46cef5ae8765daee64d6409b09
-
SHA512
77bf82f117111067d3dae4a850b2c3dfbd656e15bf6292281f7a0d14b7b70bcbec9a80407ac4f68fcef7959f46914c5c9f5193029fdea69df044fb0f1240e17f
-
SSDEEP
12288:WC8yBa5WRiGJOK4MofpbohrUnEc3dX5R3eI0/gp00TRZEUxC0riPCkR:5pzRWbNpbodyr79tTAx
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1