General
-
Target
TT SWIFT COPY $37,000.00.exe
-
Size
646KB
-
Sample
230331-hsm8vsgg49
-
MD5
50d792a1ee7059bfaf34afd54b32cba8
-
SHA1
a4b32d17b36b20155545927450a43eb2d117a306
-
SHA256
1b85fb5069a28ee305b4371bda09a96674ec37d9ebc52aecdb6c6245419f067f
-
SHA512
85b75b15bdc59e7b12cae69c0d3245ef7b7d45cbb0a1a5e09232c03844400883dfe01a81a4d69752dcd43c7568f96e747959a28adb08e10c72aefa06e623afea
-
SSDEEP
12288:AKPFSP0zGiyywVbU+zi93cZ/6QlJ9hS2H:AiFSsGUwVbuFcZ/6d+
Static task
static1
Behavioral task
behavioral1
Sample
TT SWIFT COPY $37,000.00.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
TT SWIFT COPY $37,000.00.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.southernboilers.org - Port:
587 - Username:
info@southernboilers.org - Password:
Sksmoke2018# - Email To:
obtxxxtf@gmail.com
Targets
-
-
Target
TT SWIFT COPY $37,000.00.exe
-
Size
646KB
-
MD5
50d792a1ee7059bfaf34afd54b32cba8
-
SHA1
a4b32d17b36b20155545927450a43eb2d117a306
-
SHA256
1b85fb5069a28ee305b4371bda09a96674ec37d9ebc52aecdb6c6245419f067f
-
SHA512
85b75b15bdc59e7b12cae69c0d3245ef7b7d45cbb0a1a5e09232c03844400883dfe01a81a4d69752dcd43c7568f96e747959a28adb08e10c72aefa06e623afea
-
SSDEEP
12288:AKPFSP0zGiyywVbU+zi93cZ/6QlJ9hS2H:AiFSsGUwVbuFcZ/6d+
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-