Overview

overview

10

Static

static

SWIFT COPY.exe

windows7_x64

10

SWIFT COPY.exe

windows10_x64

10

Analysis

  • max time kernel
    72s
  • max time network
    11s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    09-11-2020 20:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SWIFT COPY.exe

  • Size

    486KB

  • MD5

    cff428da8480fae5a9715be28a7a2d26

  • SHA1

    df5ebf17af3c084a6b760bedcf9631671251aff2

  • SHA256

    2adc69f66c9ac282f200d7c46fe662ec89f113abd5b4bc77f5094c2b3dbddb47

  • SHA512

    2ed52511dba9de589525ef23e08234b2b607985ad7708a03489ae3e21c1183fd75b866899f677b630c281932b24a77117eb700a868b70ceea5ad7c2e6d845e6e

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.liabherr.com
  • Port:
    587
  • Username:
    obi@liabherr.com
  • Password:
    n*pmouf4

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 4 IoCs
  • Drops startup file 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SWIFT COPY.exe
    "C:\Users\Admin\AppData\Local\Temp\SWIFT COPY.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:288
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1200
      • C:\Windows\SysWOW64\netsh.exe
        "netsh" wlan show profile
        3⤵
          PID:1640

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/288-0-0x00000000740B0000-0x000000007479E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/288-1-0x0000000000FA0000-0x0000000000FA1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/288-3-0x0000000000310000-0x0000000000364000-memory.dmp
      Filesize

      336KB

      Download
    • memory/1200-4-0x0000000000400000-0x0000000000452000-memory.dmp
      Filesize

      328KB

      Download
    • memory/1200-5-0x000000000044C52E-mapping.dmp
      Download
    • memory/1200-6-0x0000000000400000-0x0000000000452000-memory.dmp
      Filesize

      328KB

      Download
    • memory/1200-7-0x0000000000400000-0x0000000000452000-memory.dmp
      Filesize

      328KB

      Download
    • memory/1200-8-0x00000000737F0000-0x0000000073EDE000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/1640-11-0x0000000000000000-mapping.dmp
      Download