General
-
Target
8b3612c35f176d8af044d2aafcea0c0d2306b9f0188a1b06366d06a24fee5406.rar
-
Size
13KB
-
Sample
240430-bz8ptage64
-
MD5
834495aba519d709bb66ec9385dff94e
-
SHA1
9330dc1a2dc846e967de17e2bf36f60c1d063f75
-
SHA256
8b3612c35f176d8af044d2aafcea0c0d2306b9f0188a1b06366d06a24fee5406
-
SHA512
e0b4a806a39418e07c62ba0bd97f0c6ebfeda7231192c7be565aa3596b29359bf7d9b5f9e4dbfc1bf603b56973eb61c2ff2b52e38aa461dcdf40bdcaf3175cab
-
SSDEEP
192:TYkALlev8SpkAP+HCZfUSMbV1RQHs28KdBYZ7OA0fmWpGNeYeiTNpdP/kcWhlR9/:MkALYRxqCZMTO5dzp5YLBk/hf9KO
Static task
static1
Behavioral task
behavioral1
Sample
SWIFT Copy000224042024-pdf.vbs
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
SWIFT Copy000224042024-pdf.vbs
Resource
win10v2004-20240419-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.cash4cars.nz - Port:
587 - Username:
[email protected] - Password:
logs2024! - Email To:
[email protected]
Targets
-
-
Target
SWIFT Copy000224042024-pdf.vbs
-
Size
34KB
-
MD5
ec0b0c5aca480e26979b6d7dda8cbb14
-
SHA1
a98b3addf15724c049e1f2e44a071df9e7b0df21
-
SHA256
d5271109119ab792f4d1adfa7e24979a19fed1b0d13092b78db4114e3e943170
-
SHA512
b1deee49cd2f74b0c1c651414181e563dcdbd8658573380dc1dc419b5b8962df6f0105387eb0718087b4ac6efcc963fba3ca253c82cef10be4f07a38d986b713
-
SSDEEP
384:3E/p5dFHavtyX+hCajcYRn9LH/Y7Yzlgv9gufiQSKBq42:U/pRL+hDjcswPv9gyRSKBq42
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4.
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion
-
Detects executables referencing Windows vault credential objects. Observed in infostealers
-
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
-
Detects executables referencing many email and collaboration clients. Observed in information stealers
-
Detects executables referencing many file transfer clients. Observed in information stealers
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-