Analysis
-
max time kernel
129s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
29-01-2021 06:26
Static task
static1
Behavioral task
behavioral1
Sample
SWIFT COPY.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
SWIFT COPY.exe
Resource
win10v20201028
General
-
Target
SWIFT COPY.exe
-
Size
723KB
-
MD5
d519e87d666c392d0f2ef1ad2aebc05e
-
SHA1
8ebbbf740d9c71a0ff552f94a04a8486ef203688
-
SHA256
2efdd33ac30e96fcc41df82e89004c5553182e74f04efb8c434e881e00af0b42
-
SHA512
63063628be679d3911e48a97d8bea96b62b9a12ff75f2b8e6ef6c1262a91df393c793495c418467d2d8395657f438a8b0711637010872458f929ac5f7f569841
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.kpce-co.com - Port:
587 - Username:
[email protected] - Password:
g@jnJ{#6Eva5
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2680-3-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral2/memory/2680-4-0x000000000043733E-mapping.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
SWIFT COPY.exedescription pid process target process PID 580 set thread context of 2680 580 SWIFT COPY.exe SWIFT COPY.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
SWIFT COPY.exepid process 2680 SWIFT COPY.exe 2680 SWIFT COPY.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
SWIFT COPY.exedescription pid process Token: SeDebugPrivilege 2680 SWIFT COPY.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
SWIFT COPY.exedescription pid process target process PID 580 wrote to memory of 2680 580 SWIFT COPY.exe SWIFT COPY.exe PID 580 wrote to memory of 2680 580 SWIFT COPY.exe SWIFT COPY.exe PID 580 wrote to memory of 2680 580 SWIFT COPY.exe SWIFT COPY.exe PID 580 wrote to memory of 2680 580 SWIFT COPY.exe SWIFT COPY.exe PID 580 wrote to memory of 2680 580 SWIFT COPY.exe SWIFT COPY.exe PID 580 wrote to memory of 2680 580 SWIFT COPY.exe SWIFT COPY.exe PID 580 wrote to memory of 2680 580 SWIFT COPY.exe SWIFT COPY.exe PID 580 wrote to memory of 2680 580 SWIFT COPY.exe SWIFT COPY.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SWIFT COPY.exe"C:\Users\Admin\AppData\Local\Temp\SWIFT COPY.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SWIFT COPY.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\SWIFT COPY.exe.logMD5
ef140ef600b2463c9e7dbf064a104046
SHA1c08fd1853877be95575ea2e860dd8cafef31f54c
SHA256ad8ae97fdeb174b20f02c7ddf9466981856d77d51133599b5954f48f78a1b616
SHA512bf16df0994080bdc832cb39a312e0095de57608256fcf0d04d589e0bdf3283f918fb0d6ec86ea28a4b1af6db12813c52a724028f02330ebc3a9d32a4fcda706c
-
memory/580-2-0x0000000002630000-0x0000000002631000-memory.dmpFilesize
4KB
-
memory/2680-3-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/2680-4-0x000000000043733E-mapping.dmp
-
memory/2680-6-0x0000000003100000-0x0000000003101000-memory.dmpFilesize
4KB
-
memory/2680-7-0x0000000003101000-0x0000000003102000-memory.dmpFilesize
4KB
-
memory/2680-8-0x0000000003102000-0x0000000003103000-memory.dmpFilesize
4KB