swift copy.zip

General
Target

swift copy.exe

Filesize

746KB

Completed

01-12-2020 20:45

Score
10 /10
Malware Config

Extracted

Family agenttesla
Credentials

Protocol: smtp

Host: mail.polimeter.com

Port: 587

Username: info@polimeter.com

Password: 5337776740

Signatures 10

Filter: none

Collection
Credential Access
  • AgentTesla

    Description

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • AgentTesla Payload

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/1656-7-0x0000000000400000-0x000000000043C000-memory.dmpfamily_agenttesla
    behavioral1/memory/1656-8-0x00000000004374DE-mapping.dmpfamily_agenttesla
    behavioral1/memory/1656-9-0x0000000000400000-0x000000000043C000-memory.dmpfamily_agenttesla
    behavioral1/memory/1656-10-0x0000000000400000-0x000000000043C000-memory.dmpfamily_agenttesla
  • Reads data files stored by FTP clients

    Description

    Tries to access configuration files associated with programs like FileZilla.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Reads user/profile data of local email clients

    Description

    Email clients store some user data on disk where infostealers will often target it.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Suspicious use of SetThreadContext
    swift copy.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1936 set thread context of 16561936swift copy.exeswift copy.exe
  • Suspicious behavior: EnumeratesProcesses
    swift copy.exe

    Reported IOCs

    pidprocess
    1656swift copy.exe
    1656swift copy.exe
  • Suspicious use of AdjustPrivilegeToken
    swift copy.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1656swift copy.exe
  • Suspicious use of SetWindowsHookEx
    swift copy.exe

    Reported IOCs

    pidprocess
    1656swift copy.exe
  • Suspicious use of WriteProcessMemory
    swift copy.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1936 wrote to memory of 16561936swift copy.exeswift copy.exe
    PID 1936 wrote to memory of 16561936swift copy.exeswift copy.exe
    PID 1936 wrote to memory of 16561936swift copy.exeswift copy.exe
    PID 1936 wrote to memory of 16561936swift copy.exeswift copy.exe
    PID 1936 wrote to memory of 16561936swift copy.exeswift copy.exe
    PID 1936 wrote to memory of 16561936swift copy.exeswift copy.exe
    PID 1936 wrote to memory of 16561936swift copy.exeswift copy.exe
    PID 1936 wrote to memory of 16561936swift copy.exeswift copy.exe
    PID 1936 wrote to memory of 16561936swift copy.exeswift copy.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\swift copy.exe
    "C:\Users\Admin\AppData\Local\Temp\swift copy.exe"
    Suspicious use of SetThreadContext
    Suspicious use of WriteProcessMemory
    PID:1936
    • C:\Users\Admin\AppData\Local\Temp\swift copy.exe
      "{path}"
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1656
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
      Discovery
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • memory/1656-9-0x0000000000400000-0x000000000043C000-memory.dmp

                      • memory/1656-10-0x0000000000400000-0x000000000043C000-memory.dmp

                      • memory/1656-11-0x0000000073710000-0x0000000073DFE000-memory.dmp

                      • memory/1656-7-0x0000000000400000-0x000000000043C000-memory.dmp

                      • memory/1656-8-0x00000000004374DE-mapping.dmp

                      • memory/1936-6-0x0000000005990000-0x0000000005A49000-memory.dmp

                      • memory/1936-2-0x0000000073E00000-0x00000000744EE000-memory.dmp

                      • memory/1936-3-0x00000000001F0000-0x00000000001F1000-memory.dmp

                      • memory/1936-5-0x00000000005C0000-0x00000000005CE000-memory.dmp