General
-
Target
8e9e17ed6dd95447209e70b2cd44cc2c2be0a6e17b7180342d942a0cdbfea06a
-
Size
396KB
-
Sample
220521-b1qkmacgg5
-
MD5
95e8545d2a7b339d1054bda726e41e0f
-
SHA1
a1d4bf516bbbb6c914b847e878f33586af936d0e
-
SHA256
8e9e17ed6dd95447209e70b2cd44cc2c2be0a6e17b7180342d942a0cdbfea06a
-
SHA512
306ec12f706a70432c549bcb7a1330eacbfd1fa55eb1ee2507a2eccfabf11355f1cf3ff7be5935f069c1c3aaef66ede9a4832456b84999d705f0b329377aa875
Static task
static1
Behavioral task
behavioral1
Sample
BL & Payment Swift_PDF.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
BL & Payment Swift_PDF.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.candenizcilik.com - Port:
587 - Username:
[email protected] - Password:
519025
Targets
-
-
Target
BL & Payment Swift_PDF.exe
-
Size
480KB
-
MD5
947e7f37cba394e7fde73b34612d8716
-
SHA1
2e3d411b423e1fed18e162b4f923b031d238e978
-
SHA256
c0005ff458131bed0541695d27368d84415e219dbdaa6d13fa80ed539e85b90f
-
SHA512
1a93c8fff71cbdb0bf11a27f112d8587eb398247ca3e8a708a317b9ad968ab9407ecbda652451cc742d38c5db0a5848f5c16729f03767acaa99f37dc6bc90a6f
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-