Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows10_x64 -
resource
win10 -
submitted
24-06-2020 15:09
Static task
static1
Behavioral task
behavioral1
Sample
30% Scan SWIFT 09557875678.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
30% Scan SWIFT 09557875678.exe
Resource
win10
General
-
Target
30% Scan SWIFT 09557875678.exe
-
Size
1.3MB
-
MD5
da134199e42f088378988aa5b643de1c
-
SHA1
07fb70e736ee851969e4bcadd5ba782b76d63229
-
SHA256
8f32b214dfe7dca133c2c100d46aae307ae1436a2b4afa27f261cb51c7ae262a
-
SHA512
ae5654d2d81e959b90524e6076f845c0f73a8d9d83a8f50de354842e39f00265e0b6b6296ca7b8bb55a46eab90dadfd4935457d34817a40ac9701716f64dca85
Malware Config
Extracted
Protocol: smtp- Host:
smtp.pharco--corp.com - Port:
587 - Username:
saleh.mohamed@pharco--corp.com - Password:
(UxyAlp7
Signatures
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
MSBuild.exepid process 3924 MSBuild.exe 3924 MSBuild.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
30% Scan SWIFT 09557875678.exepid process 3024 30% Scan SWIFT 09557875678.exe 3024 30% Scan SWIFT 09557875678.exe 3024 30% Scan SWIFT 09557875678.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
30% Scan SWIFT 09557875678.exepid process 3024 30% Scan SWIFT 09557875678.exe 3024 30% Scan SWIFT 09557875678.exe 3024 30% Scan SWIFT 09557875678.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MSBuild.exedescription pid process Token: SeDebugPrivilege 3924 MSBuild.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
30% Scan SWIFT 09557875678.exedescription pid process target process PID 3024 wrote to memory of 3924 3024 30% Scan SWIFT 09557875678.exe MSBuild.exe PID 3024 wrote to memory of 3924 3024 30% Scan SWIFT 09557875678.exe MSBuild.exe PID 3024 wrote to memory of 3924 3024 30% Scan SWIFT 09557875678.exe MSBuild.exe PID 3024 wrote to memory of 3924 3024 30% Scan SWIFT 09557875678.exe MSBuild.exe PID 3024 wrote to memory of 3924 3024 30% Scan SWIFT 09557875678.exe MSBuild.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
30% Scan SWIFT 09557875678.exedescription pid process target process PID 3024 set thread context of 3924 3024 30% Scan SWIFT 09557875678.exe MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\30% Scan SWIFT 09557875678.exe"C:\Users\Admin\AppData\Local\Temp\30% Scan SWIFT 09557875678.exe"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\MSBuild.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken