Analysis
-
max time kernel
54s -
max time network
107s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 20:59
Static task
static1
Behavioral task
behavioral1
Sample
SWIFT COPY.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
SWIFT COPY.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
SWIFT COPY.exe
-
Size
486KB
-
MD5
cff428da8480fae5a9715be28a7a2d26
-
SHA1
df5ebf17af3c084a6b760bedcf9631671251aff2
-
SHA256
2adc69f66c9ac282f200d7c46fe662ec89f113abd5b4bc77f5094c2b3dbddb47
-
SHA512
2ed52511dba9de589525ef23e08234b2b607985ad7708a03489ae3e21c1183fd75b866899f677b630c281932b24a77117eb700a868b70ceea5ad7c2e6d845e6e
Score
10/10
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
smtp.liabherr.com - Port:
587 - Username:
obi@liabherr.com - Password:
n*pmouf4
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/740-4-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral2/memory/740-5-0x000000000044C52E-mapping.dmp family_agenttesla -
Drops startup file 1 IoCs
Processes:
SWIFT COPY.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe SWIFT COPY.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SWIFT COPY.exedescription pid process target process PID 1028 set thread context of 740 1028 SWIFT COPY.exe RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegAsm.exepid process 740 RegAsm.exe 740 RegAsm.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
SWIFT COPY.exepid process 1028 SWIFT COPY.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 740 RegAsm.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
SWIFT COPY.exeRegAsm.exedescription pid process target process PID 1028 wrote to memory of 740 1028 SWIFT COPY.exe RegAsm.exe PID 1028 wrote to memory of 740 1028 SWIFT COPY.exe RegAsm.exe PID 1028 wrote to memory of 740 1028 SWIFT COPY.exe RegAsm.exe PID 1028 wrote to memory of 740 1028 SWIFT COPY.exe RegAsm.exe PID 740 wrote to memory of 512 740 RegAsm.exe netsh.exe PID 740 wrote to memory of 512 740 RegAsm.exe netsh.exe PID 740 wrote to memory of 512 740 RegAsm.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SWIFT COPY.exe"C:\Users\Admin\AppData\Local\Temp\SWIFT COPY.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/512-13-0x0000000000000000-mapping.dmp
-
memory/740-9-0x0000000005BE0000-0x0000000005BE1000-memory.dmpFilesize
4KB
-
memory/740-4-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/740-5-0x000000000044C52E-mapping.dmp
-
memory/740-6-0x0000000072B30000-0x000000007321E000-memory.dmpFilesize
6.9MB
-
memory/740-10-0x0000000005590000-0x0000000005591000-memory.dmpFilesize
4KB
-
memory/740-11-0x0000000005630000-0x0000000005631000-memory.dmpFilesize
4KB
-
memory/740-12-0x0000000006150000-0x0000000006151000-memory.dmpFilesize
4KB
-
memory/740-14-0x0000000006980000-0x0000000006981000-memory.dmpFilesize
4KB
-
memory/740-15-0x0000000006790000-0x0000000006791000-memory.dmpFilesize
4KB
-
memory/1028-3-0x0000000004DF0000-0x0000000004E44000-memory.dmpFilesize
336KB
-
memory/1028-0-0x0000000073290000-0x000000007397E000-memory.dmpFilesize
6.9MB
-
memory/1028-1-0x0000000000650000-0x0000000000651000-memory.dmpFilesize
4KB