Overview

overview

10

Static

static

SWIFT HKEB...ip.exe

windows7_x64

10

SWIFT HKEB...ip.exe

windows10_x64

10

Analysis

  • max time kernel
    93s
  • max time network
    110s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    14-01-2021 07:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SWIFT HKEB0C01725410-T02.zip.exe

  • Size

    1.9MB

  • MD5

    9799d062813682be526e3872624619d6

  • SHA1

    73fcf6be1e81560fc4b3c07f6f6cffc6d9c45b67

  • SHA256

    c0c094a6eb4a6e1051e79144ff16ae6d24b52007ac96fa0d8b40319635e1ea55

  • SHA512

    e040175339eda6b977816bebe7c09a48b21eb98d03380beeccff7b961ce952b470616b85f913fda60ef5730d36e056642bda5a3281676840be83b4f69fa9ff97

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.ru
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    graceofgod

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 2 IoCs
  • Drops startup file 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SWIFT HKEB0C01725410-T02.zip.exe
    "C:\Users\Admin\AppData\Local\Temp\SWIFT HKEB0C01725410-T02.zip.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:644
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:212

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/212-3-0x0000000000446ABE-mapping.dmp
    Download
  • memory/212-2-0x0000000000400000-0x000000000044C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/212-4-0x0000000073F40000-0x000000007462E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/212-7-0x0000000005C90000-0x0000000005C91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/212-8-0x0000000005830000-0x0000000005831000-memory.dmp
    Filesize

    4KB

    Download
  • memory/212-9-0x0000000005760000-0x0000000005761000-memory.dmp
    Filesize

    4KB

    Download
  • memory/212-10-0x0000000006380000-0x0000000006381000-memory.dmp
    Filesize

    4KB

    Download
  • memory/212-11-0x0000000006840000-0x0000000006841000-memory.dmp
    Filesize

    4KB

    Download
  • memory/212-12-0x0000000006800000-0x0000000006801000-memory.dmp
    Filesize

    4KB

    Download