Analysis
-
max time kernel
140s -
max time network
147s -
platform
windows10_x64 -
resource
win10 -
submitted
24-06-2020 15:07
Static task
static1
Behavioral task
behavioral1
Sample
Swift Copy.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Swift Copy.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
Swift Copy.exe
-
Size
1.3MB
-
MD5
60e4981cf8ab5329b2616f84757822f8
-
SHA1
f040eac652c22818549bdf5607be56e4e4cb03e7
-
SHA256
1c5653f7880f54b86f76ab009eb9775f3596d89e836d3d9bdb3c921612cb845b
-
SHA512
75a30df4fbd56e0f61502c4e8f4c367e103c24acf51c39b714570c1b521ad534082089f20da3ed849852319528f4873dd631142cfbe85ca657f352fcfb66cee0
Score
10/10
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
goksal.sir@prosoftelektrik.com - Password:
Wm^kN*!7
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3828-1-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral2/memory/3828-2-0x00000000004469FE-mapping.dmp family_agenttesla -
Drops startup file 1 IoCs
Processes:
Swift Copy.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\net.url Swift Copy.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Swift Copy.exedescription pid process target process PID 3588 set thread context of 3828 3588 Swift Copy.exe MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
MSBuild.exepid process 3828 MSBuild.exe 3828 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MSBuild.exedescription pid process Token: SeDebugPrivilege 3828 MSBuild.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
Swift Copy.exepid process 3588 Swift Copy.exe 3588 Swift Copy.exe 3588 Swift Copy.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
Swift Copy.exepid process 3588 Swift Copy.exe 3588 Swift Copy.exe 3588 Swift Copy.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
MSBuild.exepid process 3828 MSBuild.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
Swift Copy.exedescription pid process target process PID 3588 wrote to memory of 3828 3588 Swift Copy.exe MSBuild.exe PID 3588 wrote to memory of 3828 3588 Swift Copy.exe MSBuild.exe PID 3588 wrote to memory of 3828 3588 Swift Copy.exe MSBuild.exe PID 3588 wrote to memory of 3828 3588 Swift Copy.exe MSBuild.exe PID 3588 wrote to memory of 3828 3588 Swift Copy.exe MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe"C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\MSBuild.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx