Analysis
-
max time kernel
137s -
max time network
73s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
24-06-2020 15:08
Static task
static1
Behavioral task
behavioral1
Sample
Swift Copy.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Swift Copy.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
Swift Copy.exe
-
Size
1.4MB
-
MD5
113dd222f32f0296e2666da5a76e90f5
-
SHA1
1fbd1f1a7aabdfbd17fb0b9da6acb02ec153a794
-
SHA256
745110c4c62b046770c913cb9c5760e4728047f6ccf08fcdac12f8c3f9ac0be1
-
SHA512
5f3ded52643cb52d4063f89f0868a17359eb74c5aeb9441404ab96c3ac9063cdcd30bd4335e4baae274091c8933ed47d649c9fc25f3563443a792dd91fd70cb4
Score
10/10
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
gokan.burulday@prosoftelektrik.com - Password:
ad%xWZ!7
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/420-0-0x0000000000430000-0x0000000000482000-memory.dmp family_agenttesla behavioral2/memory/420-1-0x000000000047C67E-mapping.dmp family_agenttesla -
Drops startup file 1 IoCs
Processes:
Swift Copy.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\regedt32.url Swift Copy.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Swift Copy.exedescription pid process target process PID 3724 set thread context of 420 3724 Swift Copy.exe MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
MSBuild.exepid process 420 MSBuild.exe 420 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MSBuild.exedescription pid process Token: SeDebugPrivilege 420 MSBuild.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
Swift Copy.exepid process 3724 Swift Copy.exe 3724 Swift Copy.exe 3724 Swift Copy.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
Swift Copy.exepid process 3724 Swift Copy.exe 3724 Swift Copy.exe 3724 Swift Copy.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
MSBuild.exepid process 420 MSBuild.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Swift Copy.exeMSBuild.exedescription pid process target process PID 3724 wrote to memory of 420 3724 Swift Copy.exe MSBuild.exe PID 3724 wrote to memory of 420 3724 Swift Copy.exe MSBuild.exe PID 3724 wrote to memory of 420 3724 Swift Copy.exe MSBuild.exe PID 3724 wrote to memory of 420 3724 Swift Copy.exe MSBuild.exe PID 3724 wrote to memory of 420 3724 Swift Copy.exe MSBuild.exe PID 420 wrote to memory of 2348 420 MSBuild.exe netsh.exe PID 420 wrote to memory of 2348 420 MSBuild.exe netsh.exe PID 420 wrote to memory of 2348 420 MSBuild.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe"C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\MSBuild.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵