General
-
Target
b77b6eb8155754d968ac6ed131147679a09b44767e695fdf96fb5b2bf4544c9b
-
Size
568KB
-
Sample
220521-cp6yxaecf4
-
MD5
8bd0d81c4118fca8384af012a40b294e
-
SHA1
1ea94ff792d5e6a43650e43ec2a05625b48e40c5
-
SHA256
b77b6eb8155754d968ac6ed131147679a09b44767e695fdf96fb5b2bf4544c9b
-
SHA512
b2fda67440ee369421cef023dfba452802f5a816668fa14a77b878cc4ffc2d25868d2b79a2c162774c795944e144c6d872fe61770e46148d6c5fd9049cb0e308
Static task
static1
Behavioral task
behavioral1
Sample
EmiratesNBD_swift_mt103.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
EmiratesNBD_swift_mt103.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.khokhwmeshmesh.com - Port:
587 - Username:
[email protected] - Password:
hr@kmc1800066
Targets
-
-
Target
EmiratesNBD_swift_mt103.com
-
Size
506KB
-
MD5
632cf515035dd389d366d9c11cd4f010
-
SHA1
141a9518344e636f71ba8b0ae68d0cb57aa57ed6
-
SHA256
2acce03be9204acbcc6fc59fa5bebc3720d91a9d7daa122c0ea086c4727fafce
-
SHA512
a2c4d74eda8af3b4bd16ba91c64c338cf266bed3dcd51dc0a87935ec2934933a0097cbf4587a467db7855d4f0e1e68989695de7a861936b443458f9943fa2c7f
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
AgentTesla Payload
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-