Analysis
-
max time kernel
136s -
max time network
78s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
10-07-2020 05:12
Static task
static1
Behavioral task
behavioral1
Sample
swift copy.exe
Resource
win7
Behavioral task
behavioral2
Sample
swift copy.exe
Resource
win10v200430
General
-
Target
swift copy.exe
-
Size
899KB
-
MD5
615fdf5bd5f20b021c457478f80b2938
-
SHA1
73616a95f5ef3fa2f9dc4a258f9ac4ca3b1f80ba
-
SHA256
4a754cc65487647ffb0067986dd92f27676a61de5f26e9f08130ac8197e44205
-
SHA512
6d7ade1546ca05a5d319c3cf7332b5a537be4012fc2ffd7862ef6492fa48b1ffa0b91b8e9ba0a2fcc916a663c084aed67b637601e72fbc964c81037ed8456f4a
Malware Config
Extracted
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
[email protected] - Password:
1xH}wgu7}f%E
Signatures
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
swift copy.exeswift copy.exedescription pid process target process PID 3944 wrote to memory of 1716 3944 swift copy.exe swift copy.exe PID 3944 wrote to memory of 1716 3944 swift copy.exe swift copy.exe PID 3944 wrote to memory of 1716 3944 swift copy.exe swift copy.exe PID 3944 wrote to memory of 2068 3944 swift copy.exe swift copy.exe PID 3944 wrote to memory of 2068 3944 swift copy.exe swift copy.exe PID 3944 wrote to memory of 2068 3944 swift copy.exe swift copy.exe PID 3944 wrote to memory of 2068 3944 swift copy.exe swift copy.exe PID 3944 wrote to memory of 2068 3944 swift copy.exe swift copy.exe PID 3944 wrote to memory of 2068 3944 swift copy.exe swift copy.exe PID 3944 wrote to memory of 2068 3944 swift copy.exe swift copy.exe PID 3944 wrote to memory of 2068 3944 swift copy.exe swift copy.exe PID 2068 wrote to memory of 3040 2068 swift copy.exe netsh.exe PID 2068 wrote to memory of 3040 2068 swift copy.exe netsh.exe PID 2068 wrote to memory of 3040 2068 swift copy.exe netsh.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
swift copy.exeswift copy.exedescription pid process Token: SeDebugPrivilege 3944 swift copy.exe Token: SeDebugPrivilege 2068 swift copy.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
swift copy.exeswift copy.exepid process 3944 swift copy.exe 3944 swift copy.exe 2068 swift copy.exe 2068 swift copy.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
swift copy.exedescription pid process target process PID 3944 set thread context of 2068 3944 swift copy.exe swift copy.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
swift copy.exepid process 2068 swift copy.exe -
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
Processes
-
C:\Users\Admin\AppData\Local\Temp\swift copy.exe"C:\Users\Admin\AppData\Local\Temp\swift copy.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
PID:3944 -
C:\Users\Admin\AppData\Local\Temp\swift copy.exe"{path}"2⤵PID:1716
-
C:\Users\Admin\AppData\Local\Temp\swift copy.exe"{path}"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
PID:2068 -
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵PID:3040