Analysis
-
max time kernel
133s -
max time network
66s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
24-06-2020 15:07
Static task
static1
Behavioral task
behavioral1
Sample
Swift Copy.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Swift Copy.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
Swift Copy.exe
-
Size
1.3MB
-
MD5
d4bd91849b8f43bd0b1480dbb0f188e6
-
SHA1
fe51787ba8b33b67fed62a3cc73123064774882c
-
SHA256
bfefac71337cac5e66779e74fe6ba571620329ff9da8d7ce21999d90b46bcdb9
-
SHA512
a9978a1aa90dda5c42ed425785bd3199df91a8f4a3224de27e081f4af72a7271c7adb3050b69e9163ae55618430710e1c52c7b5dc732c13798f40dec80220c14
Score
10/10
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
export5@fufeng-grooup.com - Password:
K$pbkEK0
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1660-0-0x0000000000500000-0x000000000054C000-memory.dmp family_agenttesla behavioral2/memory/1660-1-0x0000000000546DFE-mapping.dmp family_agenttesla -
Drops startup file 1 IoCs
Processes:
Swift Copy.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DFDWiz.url Swift Copy.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Swift Copy.exedescription pid process target process PID 1352 set thread context of 1660 1352 Swift Copy.exe MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
MSBuild.exepid process 1660 MSBuild.exe 1660 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MSBuild.exedescription pid process Token: SeDebugPrivilege 1660 MSBuild.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
Swift Copy.exepid process 1352 Swift Copy.exe 1352 Swift Copy.exe 1352 Swift Copy.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
Swift Copy.exepid process 1352 Swift Copy.exe 1352 Swift Copy.exe 1352 Swift Copy.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
MSBuild.exepid process 1660 MSBuild.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
Swift Copy.exedescription pid process target process PID 1352 wrote to memory of 1660 1352 Swift Copy.exe MSBuild.exe PID 1352 wrote to memory of 1660 1352 Swift Copy.exe MSBuild.exe PID 1352 wrote to memory of 1660 1352 Swift Copy.exe MSBuild.exe PID 1352 wrote to memory of 1660 1352 Swift Copy.exe MSBuild.exe PID 1352 wrote to memory of 1660 1352 Swift Copy.exe MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe"C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\MSBuild.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx