General
-
Target
4409RI100080 SWIFTMSG.TXT.exe
-
Size
458KB
-
Sample
211202-nqkb3sfecl
-
MD5
ee8a0fc4071663b4c7f8524a896b302a
-
SHA1
27b2da6630e2a684379ef8c16568857070a2a15c
-
SHA256
f07fc5f31e955fb3c7fc9d9c5a7eff013b987916aa18c60c1b3ff80db344c9ab
-
SHA512
a6c17a2f0046c4c8a36613f345a881c1692caec5e39b23f0aa4f8de0759cf4184a47a51d70e215021e90db64fb568c02cd9bd56961a5b390cbd56fcb8c410e58
Static task
static1
Behavioral task
behavioral1
Sample
4409RI100080 SWIFTMSG.TXT.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
4409RI100080 SWIFTMSG.TXT.exe
Resource
win10-en-20211104
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot1338829993:AAGkgJ80sLaIYwBfp79Ps5EtdSP1XH6jBV8/sendDocument
Targets
-
-
Target
4409RI100080 SWIFTMSG.TXT.exe
-
Size
458KB
-
MD5
ee8a0fc4071663b4c7f8524a896b302a
-
SHA1
27b2da6630e2a684379ef8c16568857070a2a15c
-
SHA256
f07fc5f31e955fb3c7fc9d9c5a7eff013b987916aa18c60c1b3ff80db344c9ab
-
SHA512
a6c17a2f0046c4c8a36613f345a881c1692caec5e39b23f0aa4f8de0759cf4184a47a51d70e215021e90db64fb568c02cd9bd56961a5b390cbd56fcb8c410e58
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-