Analysis
-
max time kernel
133s -
max time network
66s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
24-06-2020 15:07
General
-
Target
Swift Copy.exe
-
Size
1.3MB
-
MD5
d4bd91849b8f43bd0b1480dbb0f188e6
-
SHA1
fe51787ba8b33b67fed62a3cc73123064774882c
-
SHA256
bfefac71337cac5e66779e74fe6ba571620329ff9da8d7ce21999d90b46bcdb9
-
SHA512
a9978a1aa90dda5c42ed425785bd3199df91a8f4a3224de27e081f4af72a7271c7adb3050b69e9163ae55618430710e1c52c7b5dc732c13798f40dec80220c14
Score
10/10
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
export5@fufeng-grooup.com - Password:
K$pbkEK0
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
-
Drops startup file 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 5 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe"C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\MSBuild.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1660-0-0x0000000000500000-0x000000000054C000-memory.dmpFilesize
304KB
-
memory/1660-1-0x0000000000546DFE-mapping.dmp