Overview

overview

10

Static

static

SWIFT COPY.exe

windows7_x64

10

SWIFT COPY.exe

windows10_x64

10

Analysis

  • max time kernel
    54s
  • max time network
    107s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    09-11-2020 20:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SWIFT COPY.exe

  • Size

    486KB

  • MD5

    cff428da8480fae5a9715be28a7a2d26

  • SHA1

    df5ebf17af3c084a6b760bedcf9631671251aff2

  • SHA256

    2adc69f66c9ac282f200d7c46fe662ec89f113abd5b4bc77f5094c2b3dbddb47

  • SHA512

    2ed52511dba9de589525ef23e08234b2b607985ad7708a03489ae3e21c1183fd75b866899f677b630c281932b24a77117eb700a868b70ceea5ad7c2e6d845e6e

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.liabherr.com
  • Port:
    587
  • Username:
    obi@liabherr.com
  • Password:
    n*pmouf4

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 2 IoCs
  • Drops startup file 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SWIFT COPY.exe
    "C:\Users\Admin\AppData\Local\Temp\SWIFT COPY.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1028
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:740
      • C:\Windows\SysWOW64\netsh.exe
        "netsh" wlan show profile
        3⤵
          PID:512

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/512-13-0x0000000000000000-mapping.dmp
      Download
    • memory/740-9-0x0000000005BE0000-0x0000000005BE1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/740-4-0x0000000000400000-0x0000000000452000-memory.dmp
      Filesize

      328KB

      Download
    • memory/740-5-0x000000000044C52E-mapping.dmp
      Download
    • memory/740-6-0x0000000072B30000-0x000000007321E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/740-10-0x0000000005590000-0x0000000005591000-memory.dmp
      Filesize

      4KB

      Download
    • memory/740-11-0x0000000005630000-0x0000000005631000-memory.dmp
      Filesize

      4KB

      Download
    • memory/740-12-0x0000000006150000-0x0000000006151000-memory.dmp
      Filesize

      4KB

      Download
    • memory/740-14-0x0000000006980000-0x0000000006981000-memory.dmp
      Filesize

      4KB

      Download
    • memory/740-15-0x0000000006790000-0x0000000006791000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1028-3-0x0000000004DF0000-0x0000000004E44000-memory.dmp
      Filesize

      336KB

      Download
    • memory/1028-0-0x0000000073290000-0x000000007397E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/1028-1-0x0000000000650000-0x0000000000651000-memory.dmp
      Filesize

      4KB

      Download