General
-
Target
336770eca71c7ef886e0972687d5d08842eeb3c87554c29c4d7ec1cd8c2f92f9
-
Size
396KB
-
Sample
220521-bbs98aefgl
-
MD5
1a575bcc5418c8f3ca26eddb48b6ec23
-
SHA1
101e74e6a71f932991cb8eb3fdda1bcad10fb518
-
SHA256
336770eca71c7ef886e0972687d5d08842eeb3c87554c29c4d7ec1cd8c2f92f9
-
SHA512
003a089177607fa65362902e9a266d31d278dfa8a1ccd30e2f71284b8c40f4beec863e17152ddc9771686e4bdd3fb242031a6026efb0af5310ee46bd8e9b74b8
Static task
static1
Behavioral task
behavioral1
Sample
TT SWIFT.PDF.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
TT SWIFT.PDF.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.yitaipackaging.com - Port:
587 - Username:
[email protected] - Password:
22799213
Extracted
Protocol: smtp- Host:
mail.yitaipackaging.com - Port:
587 - Username:
[email protected] - Password:
22799213
Targets
-
-
Target
TT SWIFT.PDF.exe
-
Size
437KB
-
MD5
16cead8ab91ee65984e242d25310c8eb
-
SHA1
56eee9eed7bca79c2380ca2f8b88d5938af3cc10
-
SHA256
285921447b7223c6f6c6419c9ddfa5d26619286089de7cefa3255aa5f6c3bd51
-
SHA512
44cc25cb1b8c9e97706455f4de08d0b47dd09da957b4444901091726e74929d55ed8db284c501bd3d8f55af1c3bfdff0a3edc2a2652a50a0ba266b2976b6f9ab
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
suricata: ET MALWARE AgentTesla Exfil Via SMTP
suricata: ET MALWARE AgentTesla Exfil Via SMTP
-
AgentTesla Payload
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-