Overview

overview

10

Static

static

TT swift copy.exe

windows7_x64

10

TT swift copy.exe

windows10_x64

10

Analysis

  • max time kernel
    129s
  • max time network
    123s
  • platform
    windows10_x64
  • resource
    win10-en-20211104
  • submitted
    02-12-2021 06:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    TT swift copy.exe

  • Size

    568KB

  • MD5

    0335051e4313ffe85a082aea05e99220

  • SHA1

    456db1c86a0298041657086fa50aea8e4a61f805

  • SHA256

    20eeb51aa83842c159a0bd254fe994a9cc4bfd39a4b9e5135cdd1d7d5610055e

  • SHA512

    b24f903825343a6344f36de795f3f353d22e8f549dafae1d7cc4178c8f5a28fd7c45429f083da70e584d99bcff75bc12c7463c1726a8ced32bb500e69a7b3bc2

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.gcsenagency.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    supt@3081#

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 3 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\TT swift copy.exe
    "C:\Users\Admin\AppData\Local\Temp\TT swift copy.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3560
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IiIPuXCjRrkkV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3B6F.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:404
    • C:\Users\Admin\AppData\Local\Temp\TT swift copy.exe
      "{path}"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:1888

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TT swift copy.exe.log
    MD5

    90acfd72f14a512712b1a7380c0faf60

    SHA1

    40ba4accb8faa75887e84fb8e38d598dc8cf0f12

    SHA256

    20806822f0c130b340504132c1461b589261fbbc518e468f4f90733ab514cb86

    SHA512

    29dbf85e14e60868574cb4dc9bda83d3c229fb956733d8d2557f2475ee0e690ac9c2e72f31e02284996da6906ba2dbfa382a29b04c15a2406571d8ee19ad16b9

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmp3B6F.tmp
    MD5

    54980cb2e35493ab85ab9e7c25ee58ca

    SHA1

    eadb301b2328c14850de30fdc012540313fa1acf

    SHA256

    b8434b24b830db51f4abe0fc040de94eaf8fbdbb3bf53fdf581ebdf2ae2b0337

    SHA512

    36d6346b1d1bddcf670543d4888f30f6c9f736e4fb93d5802720001f561e28fd46c10d1e2317a73c00ec136b62d05b7bc20683ae9d32cbc94bdc2c95154affb8

    Download Submit
  • memory/404-129-0x0000000000000000-mapping.dmp
    Download
  • memory/1888-140-0x00000000060E0000-0x00000000060E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1888-139-0x0000000006040000-0x0000000006041000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1888-138-0x0000000005440000-0x000000000593E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/1888-132-0x00000000004375DE-mapping.dmp
    Download
  • memory/1888-131-0x0000000000400000-0x000000000043C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/3560-123-0x0000000005610000-0x0000000005611000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3560-128-0x0000000007E90000-0x0000000007EC8000-memory.dmp
    Filesize

    224KB

    Download
  • memory/3560-127-0x0000000007E10000-0x0000000007E8F000-memory.dmp
    Filesize

    508KB

    Download
  • memory/3560-126-0x00000000058C0000-0x00000000058C5000-memory.dmp
    Filesize

    20KB

    Download
  • memory/3560-125-0x0000000005710000-0x0000000005C0E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3560-124-0x00000000058D0000-0x00000000058D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3560-118-0x0000000000D60000-0x0000000000D61000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3560-122-0x0000000005710000-0x0000000005711000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3560-121-0x0000000005C10000-0x0000000005C11000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3560-120-0x0000000005670000-0x0000000005671000-memory.dmp
    Filesize

    4KB

    Download