General
-
Target
BANK SWIFT --.zip
-
Size
594KB
-
Sample
240619-ssg2ysserf
-
MD5
5cb9e8836495d836398405146883c88f
-
SHA1
ac8e1aca98fe0dab166c86d1795a655fee1335c3
-
SHA256
ea6c0088225e1b6b3028370c409d02c10d9f90c82fee20bd26641742e6821a35
-
SHA512
d4e4591a39dd1ba780a3689e45eb55cd116a4667c147ddbf70164150c5df570b2a3de7ef71057de43c350dbebdaea69860a9fb40bdbe1a0f256440c2dddb9027
-
SSDEEP
12288:nRhPyFBow2AJ6qwe85HwnNkOuoF3wkBCR/y+Zk+ODqJMPb2vSTL:HqBo8JBLNkOBf8stDqpvS
Static task
static1
Behavioral task
behavioral1
Sample
BANK SWIFT --.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
BANK SWIFT --.exe
Resource
win10v2004-20240611-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.naubahar.com - Port:
587 - Username:
[email protected] - Password:
Hum$885+Nn - Email To:
[email protected]
Extracted
Protocol: smtp- Host:
mail.naubahar.com - Port:
587 - Username:
[email protected] - Password:
Hum$885+Nn
Targets
-
-
Target
BANK SWIFT --.exe
-
Size
635KB
-
MD5
f4c8e4c7afbca2fc85a4c2c9988f2cdf
-
SHA1
7b1ac72ffc5d33b6c12680130412469cf65513e1
-
SHA256
d5ebb766a996a9d50d50f61068bb9ff7586b38f3ef30ded37407bd642db50009
-
SHA512
98bd29b89e492f826fb472fb6ba44414e2c138cbb75bb8c9af8f9c9457562f78e770fafd3e6fa246ae353137a586f44fa2fca69fdd479837f13e14ccafa3cfbf
-
SSDEEP
12288:/3nwFBm2+Ql6+wSoRFUhNmOW6UC9uVCX/yiZwYcgSj7DmakR:ABmklf9rmOSQUbgim5
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1