Analysis
-
max time kernel
72s -
max time network
11s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 20:59
Static task
static1
Behavioral task
behavioral1
Sample
SWIFT COPY.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
SWIFT COPY.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
SWIFT COPY.exe
-
Size
486KB
-
MD5
cff428da8480fae5a9715be28a7a2d26
-
SHA1
df5ebf17af3c084a6b760bedcf9631671251aff2
-
SHA256
2adc69f66c9ac282f200d7c46fe662ec89f113abd5b4bc77f5094c2b3dbddb47
-
SHA512
2ed52511dba9de589525ef23e08234b2b607985ad7708a03489ae3e21c1183fd75b866899f677b630c281932b24a77117eb700a868b70ceea5ad7c2e6d845e6e
Score
10/10
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
smtp.liabherr.com - Port:
587 - Username:
obi@liabherr.com - Password:
n*pmouf4
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1200-4-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral1/memory/1200-5-0x000000000044C52E-mapping.dmp family_agenttesla behavioral1/memory/1200-6-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral1/memory/1200-7-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla -
Drops startup file 1 IoCs
Processes:
SWIFT COPY.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe SWIFT COPY.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SWIFT COPY.exedescription pid process target process PID 288 set thread context of 1200 288 SWIFT COPY.exe RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegAsm.exepid process 1200 RegAsm.exe 1200 RegAsm.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
SWIFT COPY.exepid process 288 SWIFT COPY.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 1200 RegAsm.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
SWIFT COPY.exeRegAsm.exedescription pid process target process PID 288 wrote to memory of 1200 288 SWIFT COPY.exe RegAsm.exe PID 288 wrote to memory of 1200 288 SWIFT COPY.exe RegAsm.exe PID 288 wrote to memory of 1200 288 SWIFT COPY.exe RegAsm.exe PID 288 wrote to memory of 1200 288 SWIFT COPY.exe RegAsm.exe PID 288 wrote to memory of 1200 288 SWIFT COPY.exe RegAsm.exe PID 288 wrote to memory of 1200 288 SWIFT COPY.exe RegAsm.exe PID 288 wrote to memory of 1200 288 SWIFT COPY.exe RegAsm.exe PID 288 wrote to memory of 1200 288 SWIFT COPY.exe RegAsm.exe PID 1200 wrote to memory of 1640 1200 RegAsm.exe netsh.exe PID 1200 wrote to memory of 1640 1200 RegAsm.exe netsh.exe PID 1200 wrote to memory of 1640 1200 RegAsm.exe netsh.exe PID 1200 wrote to memory of 1640 1200 RegAsm.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SWIFT COPY.exe"C:\Users\Admin\AppData\Local\Temp\SWIFT COPY.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/288-0-0x00000000740B0000-0x000000007479E000-memory.dmpFilesize
6.9MB
-
memory/288-1-0x0000000000FA0000-0x0000000000FA1000-memory.dmpFilesize
4KB
-
memory/288-3-0x0000000000310000-0x0000000000364000-memory.dmpFilesize
336KB
-
memory/1200-4-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1200-5-0x000000000044C52E-mapping.dmp
-
memory/1200-6-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1200-7-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1200-8-0x00000000737F0000-0x0000000073EDE000-memory.dmpFilesize
6.9MB
-
memory/1640-11-0x0000000000000000-mapping.dmp