Overview

overview

10

Static

static

swift copy.exe

windows7_x64

10

swift copy.exe

windows10_x64

10

Analysis

  • max time kernel
    139s
  • max time network
    66s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    01-12-2020 20:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    swift copy.exe

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.polimeter.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    5337776740

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spyware
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spyware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\swift copy.exe
    "C:\Users\Admin\AppData\Local\Temp\swift copy.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1404
    • C:\Users\Admin\AppData\Local\Temp\swift copy.exe
      "{path}"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2112

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\swift copy.exe.log
    MD5

    3fed8d1dd11972a6e2603bb2d73a3ee5

    SHA1

    7ecb7f64ade7b91c5815da647e84167c3d95afb4

    SHA256

    eecf6c0575dc995a485d46a5daaa66f58229e552f16782d873834d218ab17551

    SHA512

    ca6059eb67f800cc666d5146d24070abf5ee08209f8f9d1668a0ca2201eb3f6fa013c2d807b09925e12b82c37686980fcc26a6a5e4a5ba129c4b2a585961d3bb

    Download Submit

  • memory/1404-9-0x0000000005760000-0x0000000005761000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1404-11-0x0000000006A60000-0x0000000006B19000-memory.dmp

    Filesize

    740KB

    Download

  • memory/1404-6-0x0000000005470000-0x0000000005471000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1404-7-0x0000000005400000-0x0000000005401000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1404-8-0x0000000006300000-0x0000000006301000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1404-2-0x0000000073550000-0x0000000073C3E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1404-10-0x0000000005560000-0x000000000556E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1404-5-0x00000000058D0000-0x00000000058D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1404-3-0x0000000000B30000-0x0000000000B31000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2112-13-0x00000000004374DE-mapping.dmp

    Download

  • memory/2112-12-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2112-15-0x0000000073550000-0x0000000073C3E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2112-20-0x0000000002A20000-0x0000000002A21000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2112-21-0x0000000005C30000-0x0000000005C31000-memory.dmp

    Filesize

    4KB

    Download