Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
07-07-2020 10:25
Static task
static1
Behavioral task
behavioral1
Sample
Swift copyUSD47000.exe
Resource
win7
General
-
Target
Swift copyUSD47000.exe
-
Size
444KB
-
MD5
ba3efad462a67b64b57a07f73ab18c4b
-
SHA1
3e233dcdac6f00af3594b3aa04a3f2c2ae9cfa78
-
SHA256
359202073aae173560c88009c27966e8f6a4bb3b05c48811f35dcf27b13ff0a0
-
SHA512
834c05b9b4e3ad0599271e11ae366dcdc88a10dfbf962e051a4fd5538a14581ebb17d414256f6ca56552a0a57d3804a4813fbe04a5a1dcb5d385d2e081356e94
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.bulletlogistics.in - Port:
587 - Username:
[email protected] - Password:
I0B!A&7;-f!=
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3180-3-0x0000000000400000-0x00000000004A4000-memory.dmp family_agenttesla behavioral2/memory/3180-4-0x0000000000990000-0x00000000009DC000-memory.dmp family_agenttesla -
Processes:
resource yara_rule behavioral2/memory/3180-0-0x0000000000400000-0x00000000004A4000-memory.dmp upx behavioral2/memory/3180-2-0x0000000000400000-0x00000000004A4000-memory.dmp upx behavioral2/memory/3180-3-0x0000000000400000-0x00000000004A4000-memory.dmp upx -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Swift copyUSD47000.exedescription pid process target process PID 3824 set thread context of 3180 3824 Swift copyUSD47000.exe Swift copyUSD47000.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Swift copyUSD47000.exeSwift copyUSD47000.exepid process 3824 Swift copyUSD47000.exe 3824 Swift copyUSD47000.exe 3180 Swift copyUSD47000.exe 3180 Swift copyUSD47000.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
Swift copyUSD47000.exepid process 3824 Swift copyUSD47000.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Swift copyUSD47000.exedescription pid process Token: SeDebugPrivilege 3180 Swift copyUSD47000.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
Swift copyUSD47000.exedescription pid process target process PID 3824 wrote to memory of 3180 3824 Swift copyUSD47000.exe Swift copyUSD47000.exe PID 3824 wrote to memory of 3180 3824 Swift copyUSD47000.exe Swift copyUSD47000.exe PID 3824 wrote to memory of 3180 3824 Swift copyUSD47000.exe Swift copyUSD47000.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Swift copyUSD47000.exe"C:\Users\Admin\AppData\Local\Temp\Swift copyUSD47000.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3824 -
C:\Users\Admin\AppData\Local\Temp\Swift copyUSD47000.exe"C:\Users\Admin\AppData\Local\Temp\Swift copyUSD47000.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3180