General
-
Target
c621c7f0d68b56a68d0f671aac6bfaa30825bc458bc6d33d9ec2c037a619979e
-
Size
589KB
-
Sample
220521-ps1mhsbbfl
-
MD5
574c57b969845c5587840b1d16aab39b
-
SHA1
00ecbb2a1a8454347ceff5889681d514eac4a599
-
SHA256
c621c7f0d68b56a68d0f671aac6bfaa30825bc458bc6d33d9ec2c037a619979e
-
SHA512
7182c224522ca0030bdda09100162a91f0f15bb688d93a9b2d2a226d28a03ebccfae6dd06dc65b4f070b786676470fa895cfd215afe600f1edd6d423644849cd
Static task
static1
Behavioral task
behavioral1
Sample
swift copy-img.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
swift copy-img.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.shreesationline.in - Port:
587 - Username:
hotels@shreesationline.in - Password:
H@)S13@#
Extracted
Protocol: smtp- Host:
smtp.shreesationline.in - Port:
587 - Username:
hotels@shreesationline.in - Password:
H@)S13@#
Targets
-
-
Target
swift copy-img.exe
-
Size
623KB
-
MD5
0ededbc5197310516cdaa13b39ba4a5d
-
SHA1
110a53b6786c064b2a3093fed7d666ccaa85059a
-
SHA256
d3062215b8b8b0cc106d0d2b704ad8d96f4cf375fb5f03e9f93475902b62b11c
-
SHA512
52bfb351d72fed259371bfea121a962f67056c653c04b307173fe0c4e40c4cba15a6d953fa25ae776197fbaec41e98db5def978fede7b909794590d797983626
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-