General
-
Target
New Order CHAL-0435.vbs
-
Size
449KB
-
Sample
240701-l3ydcsydjr
-
MD5
5a0dbe0c7eec32795de4a14bec5ee17a
-
SHA1
43bf04fe61e07486b4fba98e2ef454f12b88c8b4
-
SHA256
8ac3582b0025c26878a6ba3337703974f6517448af31f59d0aec023569e5e8d2
-
SHA512
3d183693d757a57620b167a1b6dd7a734967fd1ddc64f77a67232db24114de72af0f393eb7531038dc5a55d461be90ddc2c767001ec330bbb28e9a31250f4b4c
-
SSDEEP
6144:OZvdxaOaFt7Fu/crHZ4CiGu7cD4Z4p1ubCwxg7Qo1UbV5LGrvvVvBHhDlWlme0KN:OxgdLMNQ+yE
Static task
static1
Behavioral task
behavioral1
Sample
New Order CHAL-0435.vbs
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
New Order CHAL-0435.vbs
Resource
win10v2004-20240508-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
ysmglobalsourcing.com - Port:
587 - Username:
[email protected] - Password:
YSM$2024 - Email To:
[email protected]
Targets
-
-
Target
New Order CHAL-0435.vbs
-
Size
449KB
-
MD5
5a0dbe0c7eec32795de4a14bec5ee17a
-
SHA1
43bf04fe61e07486b4fba98e2ef454f12b88c8b4
-
SHA256
8ac3582b0025c26878a6ba3337703974f6517448af31f59d0aec023569e5e8d2
-
SHA512
3d183693d757a57620b167a1b6dd7a734967fd1ddc64f77a67232db24114de72af0f393eb7531038dc5a55d461be90ddc2c767001ec330bbb28e9a31250f4b4c
-
SSDEEP
6144:OZvdxaOaFt7Fu/crHZ4CiGu7cD4Z4p1ubCwxg7Qo1UbV5LGrvvVvBHhDlWlme0KN:OxgdLMNQ+yE
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-