General
-
Target
d16c23015e1e8c42aaf428c4d375c9780ff1b3d24a904249844a25eb829be095
-
Size
216KB
-
Sample
220521-pfb4dsadeq
-
MD5
607bfb18a1256970e9de54e232c6d3f2
-
SHA1
7d5de7ef0c0bc3d4354680aa6c80cca58f461da0
-
SHA256
d16c23015e1e8c42aaf428c4d375c9780ff1b3d24a904249844a25eb829be095
-
SHA512
4297b794c5ec259727ccc8c8f241e3b632013c9f46b76f36c77c3a09479d90d8e6c84e144707e3050203f224791e45e5ee28bd2d1a3c2cc9da6570d1b1a7ae55
Static task
static1
Behavioral task
behavioral1
Sample
TTSwiftCopy.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
TTSwiftCopy.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.flexiitankpack.com - Port:
587 - Username:
james@flexiitankpack.com - Password:
N#ddFGL2
Targets
-
-
Target
TTSwiftCopy.exe
-
Size
644KB
-
MD5
bcf2c90283102d3d58781e22ead750db
-
SHA1
719d8160cfb6d8801fa462c47da9be16dbfa86ea
-
SHA256
ae693716029a02fbd7ba621099b54a85874c4f85b224e4f271ddcf8039492453
-
SHA512
b69b487b3bf5745ab0643c6d26a209eb64a42ec21670937d05476b69c25c1bde3877bfe3a6956e379b33bced347920fc7d5170a8d65d0617ffd8ee3d199b783d
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-