General
-
Target
4979759ed55defbed47edb7ae0bc894278225a8e2ecdac07733c712591326641
-
Size
732KB
-
Sample
220521-pl1c6sagcl
-
MD5
8424c5daeec2f4e62a1e8661560c6ec3
-
SHA1
2e6ebc675944a38e41b1373b3988879843bd22d8
-
SHA256
4979759ed55defbed47edb7ae0bc894278225a8e2ecdac07733c712591326641
-
SHA512
b7cd41039b95dfe6c1bd75bd3951d2d0b6e14afd97868603d59645bfd575b013da83c4fc489f53d373b80d7d9a73395d4ab2a749f494fd9239ff65f719ba4e8b
Static task
static1
Behavioral task
behavioral1
Sample
emiratenbd_swift_mt103.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
emiratenbd_swift_mt103.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.khokhwmeshmesh.com - Port:
587 - Username:
hr@khokhwmeshmesh.com - Password:
hr@kmc1800066
Targets
-
-
Target
emiratenbd_swift_mt103.com
-
Size
671KB
-
MD5
01b5201376abbbc0296f96d9036fc563
-
SHA1
408eca35decfeaa6dad261b10819df717e111b89
-
SHA256
e71642990d5d7a50d9495bdc23ea33543fe7a27e33becd9ec7c021be2bb45494
-
SHA512
e09a6ecfaeb497550be869053348354be2682b92b104f95c5d722c7b4ea328d1ec49f4e59899de1a158f2d49a48e009a91bd42957994460cb97c8f988465bbae
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
AgentTesla Payload
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-