Overview

overview

10

Static

static

SWIFT COPY.exe

windows7_x64

10

SWIFT COPY.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    fbf5967f198d8bfcf2788f0fc616c4506d2f3f61df8cf4fe49f8e8f9c33e3309

  • Size

    389KB

  • Sample

    220520-3hmvkabhbl

  • MD5

    61c84baff632bf00d58cf03262ff6c84

  • SHA1

    4869da10768fedba99217c3621eb0549a305dbaf

  • SHA256

    fbf5967f198d8bfcf2788f0fc616c4506d2f3f61df8cf4fe49f8e8f9c33e3309

  • SHA512

    115c7d528c297dcdc38e23a64559b2170d8e736efc49276f83d436fd079fb767fb7ca1bc5785d45960a915074e271350572d3ed73e2035b4104168f8ff551f77

Score
10/10
agentteslacollectionkeyloggerpersistencerezer0spywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.sunflower-tech.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    3625Bateau

Targets

    • Target

      SWIFT COPY.exe

    • Size

      450KB

    • MD5

      2a46fd19bda3ca62857bf65d8ac4ecdd

    • SHA1

      34816a22714801bfae152c07eecba2f63efce12f

    • SHA256

      5ab8a06136b60d9f632b0e6ab76ab36e8078668cff1e98ad2d5548ac2cbcd693

    • SHA512

      e216504e5ecaa015f0046021b788bd7f86ee0210962832b725b5fc178fc50349f670aca50db2637628e672259327fe6c4ffde5b217cbeddc2604ce5af6d2d103

    Score
    10/10
    agentteslacollectionkeyloggerpersistencerezer0spywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

      rezer0

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks