General
-
Target
TT SWIFT COPY $37,000.00.zip
-
Size
427KB
-
Sample
230331-l9ngqsaf8x
-
MD5
d3c56e75279d6d4560e303c03a67712f
-
SHA1
5f535a79c3c18068ce3097daf7c8d2ac23284a3f
-
SHA256
9c134955b66949e70fb099e7a0f850787ba0b9fc82c0b99f2586b2d628e5c7d4
-
SHA512
0fd2bf676230eafc757c87c6a15e3c80f7162a495af7f131526b18a14eb538ae0392bbef045ebd061a10646bd592a8e689a0f317d12523eb07b24773fa9a81b0
-
SSDEEP
12288:BlevCUDOjCwULASpTW4+ziH32ZV6Q5h9hg5kt:BlevC+qKX2ZV6lat
Static task
static1
Behavioral task
behavioral1
Sample
TT SWIFT COPY $37,000.00.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
TT SWIFT COPY $37,000.00.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.southernboilers.org - Port:
587 - Username:
info@southernboilers.org - Password:
Sksmoke2018# - Email To:
obtxxxtf@gmail.com
Targets
-
-
Target
TT SWIFT COPY $37,000.00.exe
-
Size
646KB
-
MD5
50d792a1ee7059bfaf34afd54b32cba8
-
SHA1
a4b32d17b36b20155545927450a43eb2d117a306
-
SHA256
1b85fb5069a28ee305b4371bda09a96674ec37d9ebc52aecdb6c6245419f067f
-
SHA512
85b75b15bdc59e7b12cae69c0d3245ef7b7d45cbb0a1a5e09232c03844400883dfe01a81a4d69752dcd43c7568f96e747959a28adb08e10c72aefa06e623afea
-
SSDEEP
12288:AKPFSP0zGiyywVbU+zi93cZ/6QlJ9hS2H:AiFSsGUwVbuFcZ/6d+
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-