General
-
Target
TT SWIFT COPY $37,000.00.zip
-
Size
507KB
-
Sample
230402-p2cl2shf71
-
MD5
ea3f3a0c8e12bc153f91c2872c5a8442
-
SHA1
eb72c8a0b22e361e0c1bba552db1a56ad6d0ea91
-
SHA256
db21d3b937591adbc97ed7470468fe89e1163859ea6fa6aad1180ebbadc4466e
-
SHA512
27e64c37ec34a9b45f6fad9e20f8cb40b03bc3ff48791a4d3ea0ef3b79aecd7804a325cee46d478b5b0f24bbdc4310aa42d2b7c53348b2550660e0fe991706c7
-
SSDEEP
12288:Q9XaGEE2LKfIL2hTmiJoMDdFqv9626Gm7okH10:+azqhTJzdFq162Sk80
Static task
static1
Behavioral task
behavioral1
Sample
TT SWIFT COPY $37,000.00.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
TT SWIFT COPY $37,000.00.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.southernboilers.org - Port:
587 - Username:
[email protected] - Password:
Sksmoke2018# - Email To:
[email protected]
Targets
-
-
Target
TT SWIFT COPY $37,000.00.exe
-
Size
725KB
-
MD5
627d531f2361508ce6d650dfb74f50b7
-
SHA1
74cdf31cf47ce5898fc6391bfdd1b8801bc2813f
-
SHA256
fa1cb59a2e33d1b2256194f4741afc762ef819cf058614afd490f56e5e92bcd5
-
SHA512
e13dc5bdf4e48cabdfe165fdad52c686d64d583e91d7251ea0b70d0437dd13be7fbbc56e5d81ae1647a6a04ff47a3c8aa84076ba5a049e907fa0dd02afa51066
-
SSDEEP
12288:nUuXMbBzUnxUn7bNVVebMyywV42hhmihgMDdvqv96q6GmdEk9z:fXMbynWnlwVHh1hbdvq16qSmu
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-