General
-
Target
f7b29f5ba346c9e357b8d0c8a33df8c0e6f810d2e387d1bfa15fa2224c90db7c
-
Size
462KB
-
Sample
220521-b9cp5addf5
-
MD5
f79c8ec5989194da7ee9817db53d2ee1
-
SHA1
77375a36ee7b06d34b2e6097a90520eea159fab2
-
SHA256
f7b29f5ba346c9e357b8d0c8a33df8c0e6f810d2e387d1bfa15fa2224c90db7c
-
SHA512
81d1e6514de9597f6dba11d7abc1d51aaf25ed3fbfc40ee33c3734acc4a1bbc79d9847cc4ade9a8ced129a8ee84c86cf3b55edff2b455b97dee947a5694634ae
Static task
static1
Behavioral task
behavioral1
Sample
swift copy.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
swift copy.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.microtechlab.in - Port:
587 - Username:
[email protected] - Password:
pune@123
Targets
-
-
Target
swift copy.exe
-
Size
496KB
-
MD5
88c063ba896591127a15f451f029e881
-
SHA1
f6f1e3e0657d254f2c11be2ecae3a93b488db769
-
SHA256
c30238e31d4321ab8b4169269e6e635e59b6700d40e712c5fc85a0a1554dfd2a
-
SHA512
41ed0f6068ab1fd3d154ae0b33cf2031d9fa1069f0c0cfa8f8f2d7bc7c021776922333478acfd8887d598f14ca74034be9d2fa16049e053baeeeb5028c771117
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
AgentTesla Payload
-
Disables Task Manager via registry modification
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-