Analysis
-
max time kernel
140s -
max time network
9s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
01-12-2020 20:42
Static task
static1
Behavioral task
behavioral1
Sample
swift copy.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
swift copy.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
swift copy.exe
Score
10/10
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
mail.polimeter.com - Port:
587 - Username:
[email protected] - Password:
5337776740
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
resource yara_rule behavioral1/memory/1656-7-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/1656-8-0x00000000004374DE-mapping.dmp family_agenttesla behavioral1/memory/1656-9-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/1656-10-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1936 set thread context of 1656 1936 swift copy.exe 29 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1656 swift copy.exe 1656 swift copy.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1656 swift copy.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1656 swift copy.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1936 wrote to memory of 1656 1936 swift copy.exe 29 PID 1936 wrote to memory of 1656 1936 swift copy.exe 29 PID 1936 wrote to memory of 1656 1936 swift copy.exe 29 PID 1936 wrote to memory of 1656 1936 swift copy.exe 29 PID 1936 wrote to memory of 1656 1936 swift copy.exe 29 PID 1936 wrote to memory of 1656 1936 swift copy.exe 29 PID 1936 wrote to memory of 1656 1936 swift copy.exe 29 PID 1936 wrote to memory of 1656 1936 swift copy.exe 29 PID 1936 wrote to memory of 1656 1936 swift copy.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\swift copy.exe"C:\Users\Admin\AppData\Local\Temp\swift copy.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Users\Admin\AppData\Local\Temp\swift copy.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1656
-