General

  • Target

    BANK SWIFT --.zip

  • Size

    594KB

  • Sample

    240619-ssg2ysserf

  • MD5

    5cb9e8836495d836398405146883c88f

  • SHA1

    ac8e1aca98fe0dab166c86d1795a655fee1335c3

  • SHA256

    ea6c0088225e1b6b3028370c409d02c10d9f90c82fee20bd26641742e6821a35

  • SHA512

    d4e4591a39dd1ba780a3689e45eb55cd116a4667c147ddbf70164150c5df570b2a3de7ef71057de43c350dbebdaea69860a9fb40bdbe1a0f256440c2dddb9027

  • SSDEEP

    12288:nRhPyFBow2AJ6qwe85HwnNkOuoF3wkBCR/y+Zk+ODqJMPb2vSTL:HqBo8JBLNkOBf8stDqpvS

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.naubahar.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Hum$885+Nn

Targets

    • Target

      BANK SWIFT --.exe

    • Size

      635KB

    • MD5

      f4c8e4c7afbca2fc85a4c2c9988f2cdf

    • SHA1

      7b1ac72ffc5d33b6c12680130412469cf65513e1

    • SHA256

      d5ebb766a996a9d50d50f61068bb9ff7586b38f3ef30ded37407bd642db50009

    • SHA512

      98bd29b89e492f826fb472fb6ba44414e2c138cbb75bb8c9af8f9c9457562f78e770fafd3e6fa246ae353137a586f44fa2fca69fdd479837f13e14ccafa3cfbf

    • SSDEEP

      12288:/3nwFBm2+Ql6+wSoRFUhNmOW6UC9uVCX/yiZwYcgSj7DmakR:ABmklf9rmOSQUbgim5

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks