Extracted

Extracted

• • Target

    DF000645--NEW ORDER.exe

  • Size

    611KB

  • MD5

    97c63889b526ad1f55a467c49ba7dcaa

  • SHA1

    5a2f41fde77e8b0ac3ad2e5e5b7c103a4bacf5b1

  • SHA256

    63192845f76bc6442b700f56ba267fd39de0469770facfb66e9ee799c0652c74

  • SHA512

    63de4b3d607568a738d885a068181d4ae4c8938447f7f048ebec8f5cf7f2611394530c1e77b57924d4010bd7112f79e9e2f0fab2ba7dd0431a57647c96fc3569

  • SSDEEP

    12288:GeO25DK5PolqIW2H4ma0jb/km2ui0DVD+MfBkHIP0csc4ZQWqBZ6e+XC:K25WcO0jbMyi0ppZhP0cscSFqBZ6emC

  Score

  10^/10

  agentteslaevasionexecutionkeyloggerspywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • UAC bypass

    evasiontrojan

  • Windows security bypass

    evasiontrojan

  • Looks for VirtualBox Guest Additions in registry

    evasion

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Looks for VMWare Tools registry key

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Windows security modification

    evasiontrojan

  • Checks whether UAC is enabled

    evasiontrojan

  • Maps connected drives based on registry

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2