General
-
Target
BANK SWIFT.pdf_________________________________________________________________________.exe
-
Size
719KB
-
Sample
240515-nd9ffaeg6w
-
MD5
2e8778e7de604e1c3076a0b7f3dbf472
-
SHA1
0520202c3eee3ea89bb2809bc56ca8bd2ef1479f
-
SHA256
fac5820afb79ef32f8b147ade861758c0c721f412341944766870d0418c8116e
-
SHA512
353a1cac0f3424f9d7f5de53c4915d138f698405d0bf8b5486baaff4f0e0e1ec86b18e000f22dde65e9a40ac77e95ebd5f6a5544a96b15df665156d55f3c39c7
-
SSDEEP
12288:GIlXAhYMjhvPie/rByY7777777777777zqoUCfsfQfJ7UF+bDc5T0yiKXu58gdYy:GmXAhYMFniyyHoN0fQjsZL+R
Static task
static1
Behavioral task
behavioral1
Sample
BANK SWIFT.pdf_________________________________________________________________________.exe
Resource
win7-20240220-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.mayedasselectromech.com - Port:
587 - Username:
[email protected] - Password:
India@2014 - Email To:
[email protected]
Targets
-
-
Target
BANK SWIFT.pdf_________________________________________________________________________.exe
-
Size
719KB
-
MD5
2e8778e7de604e1c3076a0b7f3dbf472
-
SHA1
0520202c3eee3ea89bb2809bc56ca8bd2ef1479f
-
SHA256
fac5820afb79ef32f8b147ade861758c0c721f412341944766870d0418c8116e
-
SHA512
353a1cac0f3424f9d7f5de53c4915d138f698405d0bf8b5486baaff4f0e0e1ec86b18e000f22dde65e9a40ac77e95ebd5f6a5544a96b15df665156d55f3c39c7
-
SSDEEP
12288:GIlXAhYMjhvPie/rByY7777777777777zqoUCfsfQfJ7UF+bDc5T0yiKXu58gdYy:GmXAhYMFniyyHoN0fQjsZL+R
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-