Overview

overview

10

Static

static

1

TT SWIFT C...00.exe

windows7-x64

10

TT SWIFT C...00.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    TT SWIFT COPY $37,000.00.exe

  • Size

    725KB

  • Sample

    230402-mxtnnafh88

  • MD5

    627d531f2361508ce6d650dfb74f50b7

  • SHA1

    74cdf31cf47ce5898fc6391bfdd1b8801bc2813f

  • SHA256

    fa1cb59a2e33d1b2256194f4741afc762ef819cf058614afd490f56e5e92bcd5

  • SHA512

    e13dc5bdf4e48cabdfe165fdad52c686d64d583e91d7251ea0b70d0437dd13be7fbbc56e5d81ae1647a6a04ff47a3c8aa84076ba5a049e907fa0dd02afa51066

  • SSDEEP

    12288:nUuXMbBzUnxUn7bNVVebMyywV42hhmihgMDdvqv96q6GmdEk9z:fXMbynWnlwVHh1hbdvq16qSmu

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.southernboilers.org
  • Port:
    587
  • Username:
    info@southernboilers.org
  • Password:
    Sksmoke2018#
  • Email To:
    obtxxxtf@gmail.com

Targets

    • Target

      TT SWIFT COPY $37,000.00.exe

    • Size

      725KB

    • MD5

      627d531f2361508ce6d650dfb74f50b7

    • SHA1

      74cdf31cf47ce5898fc6391bfdd1b8801bc2813f

    • SHA256

      fa1cb59a2e33d1b2256194f4741afc762ef819cf058614afd490f56e5e92bcd5

    • SHA512

      e13dc5bdf4e48cabdfe165fdad52c686d64d583e91d7251ea0b70d0437dd13be7fbbc56e5d81ae1647a6a04ff47a3c8aa84076ba5a049e907fa0dd02afa51066

    • SSDEEP

      12288:nUuXMbBzUnxUn7bNVVebMyywV42hhmihgMDdvqv96q6GmdEk9z:fXMbynWnlwVHh1hbdvq16qSmu

    Score
    10/10
    agentteslacollectionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks