swift copy.zip

General
Target

swift copy.exe

Filesize

746KB

Completed

01-12-2020 20:45

Score
10 /10
Malware Config

Extracted

Family agenttesla
Credentials

Protocol: smtp

Host: mail.polimeter.com

Port: 587

Username: info@polimeter.com

Password: 5337776740

Signatures 10

Filter: none

Collection
Credential Access
  • AgentTesla

    Description

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • AgentTesla Payload

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/2112-12-0x0000000000400000-0x000000000043C000-memory.dmpfamily_agenttesla
    behavioral2/memory/2112-13-0x00000000004374DE-mapping.dmpfamily_agenttesla
  • Reads data files stored by FTP clients

    Description

    Tries to access configuration files associated with programs like FileZilla.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Reads user/profile data of local email clients

    Description

    Email clients store some user data on disk where infostealers will often target it.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Suspicious use of SetThreadContext
    swift copy.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1404 set thread context of 21121404swift copy.exeswift copy.exe
  • Suspicious behavior: EnumeratesProcesses
    swift copy.exe

    Reported IOCs

    pidprocess
    2112swift copy.exe
    2112swift copy.exe
  • Suspicious use of AdjustPrivilegeToken
    swift copy.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege2112swift copy.exe
  • Suspicious use of SetWindowsHookEx
    swift copy.exe

    Reported IOCs

    pidprocess
    2112swift copy.exe
  • Suspicious use of WriteProcessMemory
    swift copy.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1404 wrote to memory of 21121404swift copy.exeswift copy.exe
    PID 1404 wrote to memory of 21121404swift copy.exeswift copy.exe
    PID 1404 wrote to memory of 21121404swift copy.exeswift copy.exe
    PID 1404 wrote to memory of 21121404swift copy.exeswift copy.exe
    PID 1404 wrote to memory of 21121404swift copy.exeswift copy.exe
    PID 1404 wrote to memory of 21121404swift copy.exeswift copy.exe
    PID 1404 wrote to memory of 21121404swift copy.exeswift copy.exe
    PID 1404 wrote to memory of 21121404swift copy.exeswift copy.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\swift copy.exe
    "C:\Users\Admin\AppData\Local\Temp\swift copy.exe"
    Suspicious use of SetThreadContext
    Suspicious use of WriteProcessMemory
    PID:1404
    • C:\Users\Admin\AppData\Local\Temp\swift copy.exe
      "{path}"
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2112
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
      Discovery
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\swift copy.exe.log

                        MD5

                        3fed8d1dd11972a6e2603bb2d73a3ee5

                        SHA1

                        7ecb7f64ade7b91c5815da647e84167c3d95afb4

                        SHA256

                        eecf6c0575dc995a485d46a5daaa66f58229e552f16782d873834d218ab17551

                        SHA512

                        ca6059eb67f800cc666d5146d24070abf5ee08209f8f9d1668a0ca2201eb3f6fa013c2d807b09925e12b82c37686980fcc26a6a5e4a5ba129c4b2a585961d3bb

                      • memory/1404-3-0x0000000000B30000-0x0000000000B31000-memory.dmp

                      • memory/1404-5-0x00000000058D0000-0x00000000058D1000-memory.dmp

                      • memory/1404-6-0x0000000005470000-0x0000000005471000-memory.dmp

                      • memory/1404-7-0x0000000005400000-0x0000000005401000-memory.dmp

                      • memory/1404-8-0x0000000006300000-0x0000000006301000-memory.dmp

                      • memory/1404-9-0x0000000005760000-0x0000000005761000-memory.dmp

                      • memory/1404-10-0x0000000005560000-0x000000000556E000-memory.dmp

                      • memory/1404-11-0x0000000006A60000-0x0000000006B19000-memory.dmp

                      • memory/1404-2-0x0000000073550000-0x0000000073C3E000-memory.dmp

                      • memory/2112-13-0x00000000004374DE-mapping.dmp

                      • memory/2112-12-0x0000000000400000-0x000000000043C000-memory.dmp

                      • memory/2112-15-0x0000000073550000-0x0000000073C3E000-memory.dmp

                      • memory/2112-20-0x0000000002A20000-0x0000000002A21000-memory.dmp

                      • memory/2112-21-0x0000000005C30000-0x0000000005C31000-memory.dmp