Analysis
-
max time kernel
140s -
max time network
147s -
platform
windows10_x64 -
resource
win10 -
submitted
24-06-2020 15:07
General
-
Target
Swift Copy.exe
-
Size
1.3MB
-
MD5
60e4981cf8ab5329b2616f84757822f8
-
SHA1
f040eac652c22818549bdf5607be56e4e4cb03e7
-
SHA256
1c5653f7880f54b86f76ab009eb9775f3596d89e836d3d9bdb3c921612cb845b
-
SHA512
75a30df4fbd56e0f61502c4e8f4c367e103c24acf51c39b714570c1b521ad534082089f20da3ed849852319528f4873dd631142cfbe85ca657f352fcfb66cee0
Score
10/10
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
goksal.sir@prosoftelektrik.com - Password:
Wm^kN*!7
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
-
Drops startup file 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 5 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe"C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\MSBuild.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3828-1-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/3828-2-0x00000000004469FE-mapping.dmp