SWIFT CONFIRMATION.exe

General
Target

SWIFT CONFIRMATION.exe

Filesize

736KB

Completed

27-07-2021 15:48

Score
10 /10
MD5

56a49812b0b2214950f241aeec86fa55

SHA1

c33b64a409a9fdb32555e14ef57290afa3942710

SHA256

0fba63de28c93fd00593e1b906f7a78e197d3392ed24fc4e4d24c8405d11bab7

Malware Config

Extracted

Family agenttesla
Credentials

Protocol: smtp

Host: smtp.saisianket-tech.com

Port: 587

Username: akibapen@saisianket-tech.com

Password: donblack12345

Signatures 6

Filter: none

  • AgentTesla

    Description

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • AgentTesla Payload

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/396-66-0x0000000000400000-0x000000000043C000-memory.dmpfamily_agenttesla
    behavioral1/memory/396-67-0x00000000004365AE-mapping.dmpfamily_agenttesla
    behavioral1/memory/396-68-0x0000000000400000-0x000000000043C000-memory.dmpfamily_agenttesla
  • Suspicious use of SetThreadContext
    SWIFT CONFIRMATION.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1272 set thread context of 3961272SWIFT CONFIRMATION.exeSWIFT CONFIRMATION.exe
  • Suspicious behavior: EnumeratesProcesses
    SWIFT CONFIRMATION.exe

    Reported IOCs

    pidprocess
    396SWIFT CONFIRMATION.exe
    396SWIFT CONFIRMATION.exe
  • Suspicious use of AdjustPrivilegeToken
    SWIFT CONFIRMATION.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege396SWIFT CONFIRMATION.exe
  • Suspicious use of WriteProcessMemory
    SWIFT CONFIRMATION.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1272 wrote to memory of 3961272SWIFT CONFIRMATION.exeSWIFT CONFIRMATION.exe
    PID 1272 wrote to memory of 3961272SWIFT CONFIRMATION.exeSWIFT CONFIRMATION.exe
    PID 1272 wrote to memory of 3961272SWIFT CONFIRMATION.exeSWIFT CONFIRMATION.exe
    PID 1272 wrote to memory of 3961272SWIFT CONFIRMATION.exeSWIFT CONFIRMATION.exe
    PID 1272 wrote to memory of 3961272SWIFT CONFIRMATION.exeSWIFT CONFIRMATION.exe
    PID 1272 wrote to memory of 3961272SWIFT CONFIRMATION.exeSWIFT CONFIRMATION.exe
    PID 1272 wrote to memory of 3961272SWIFT CONFIRMATION.exeSWIFT CONFIRMATION.exe
    PID 1272 wrote to memory of 3961272SWIFT CONFIRMATION.exeSWIFT CONFIRMATION.exe
    PID 1272 wrote to memory of 3961272SWIFT CONFIRMATION.exeSWIFT CONFIRMATION.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\SWIFT CONFIRMATION.exe
    "C:\Users\Admin\AppData\Local\Temp\SWIFT CONFIRMATION.exe"
    Suspicious use of SetThreadContext
    Suspicious use of WriteProcessMemory
    PID:1272
    • C:\Users\Admin\AppData\Local\Temp\SWIFT CONFIRMATION.exe
      "{path}"
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:396
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Replay Monitor
                          00:00 00:00
                          Downloads
                          • memory/396-67-0x00000000004365AE-mapping.dmp

                          • memory/396-68-0x0000000000400000-0x000000000043C000-memory.dmp

                          • memory/396-70-0x00000000046B0000-0x00000000046B1000-memory.dmp

                          • memory/396-66-0x0000000000400000-0x000000000043C000-memory.dmp

                          • memory/1272-64-0x00000000051E0000-0x0000000005298000-memory.dmp

                          • memory/1272-65-0x00000000052A0000-0x0000000005313000-memory.dmp

                          • memory/1272-60-0x0000000000A90000-0x0000000000A91000-memory.dmp

                          • memory/1272-62-0x0000000002240000-0x0000000002241000-memory.dmp

                          • memory/1272-63-0x00000000004D0000-0x00000000004D2000-memory.dmp