Overview

overview

10

Static

static

Swift Copy.exe

windows7_x64

10

Swift Copy.exe

windows10_x64

10

Analysis

  • max time kernel
    68s
  • max time network
    65s
  • platform
    windows10_x64
  • resource
    win10v200722
  • submitted
    31-07-2020 13:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Swift Copy.exe

  • Size

    741KB

  • MD5

    749be8c35eb6722a48f9c77886a2911d

  • SHA1

    ca7566b4b3dc6a09f890d413fcbd14c2db05df47

  • SHA256

    98850bda70a9cac3e3ba79f0c92d0caa6dabd70be5834912f3186bae3d964b16

  • SHA512

    f995385b717173bcb3c53256dd7578095ce7002abc2ccae2b759dcf84a130f5349b2672e6f02d6af2d92aa17478e86c4027b60bd8407711034489fb6e8c16627

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    us2.smtp.mailhostbox.com
  • Port:
    587
  • Username:
    itccoit@ite-gr.com
  • Password:
    locowise12345

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 2 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spyware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe
    "C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:728
    • C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe
      "C:/Users/Admin/AppData/Local/Temp/Swift Copy.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:992
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/Swift Copy.exe" "%temp%\FolderN\name.exe" /Y
      2⤵
        PID:1156
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1356
        • C:\Windows\SysWOW64\reg.exe
          reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
          3⤵
            PID:1596
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
          2⤵
          • NTFS ADS
          PID:1764

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Credentials in Files

      2
      T1081

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Data from Local System

      2
      T1005

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe
        MD5

        749be8c35eb6722a48f9c77886a2911d

        SHA1

        ca7566b4b3dc6a09f890d413fcbd14c2db05df47

        SHA256

        98850bda70a9cac3e3ba79f0c92d0caa6dabd70be5834912f3186bae3d964b16

        SHA512

        f995385b717173bcb3c53256dd7578095ce7002abc2ccae2b759dcf84a130f5349b2672e6f02d6af2d92aa17478e86c4027b60bd8407711034489fb6e8c16627

        Download Submit
      • memory/992-0-0x0000000000400000-0x000000000044A000-memory.dmp
        Filesize

        296KB

        Download
      • memory/992-1-0x0000000000445EFE-mapping.dmp
        Download
      • memory/1156-2-0x0000000000000000-mapping.dmp
        Download
      • memory/1356-3-0x0000000000000000-mapping.dmp
        Download
      • memory/1596-4-0x0000000000000000-mapping.dmp
        Download
      • memory/1764-6-0x0000000000000000-mapping.dmp
        Download