Analysis
-
max time kernel
192s -
max time network
198s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 00:39
Static task
static1
Behavioral task
behavioral1
Sample
DraftSwift copy hpSCAN 2207110 SWIFT CONFIRMATION 4657754 AGST INV CON 702.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
DraftSwift copy hpSCAN 2207110 SWIFT CONFIRMATION 4657754 AGST INV CON 702.exe
Resource
win10v2004-20220414-en
General
-
Target
DraftSwift copy hpSCAN 2207110 SWIFT CONFIRMATION 4657754 AGST INV CON 702.exe
-
Size
642KB
-
MD5
a56bb0b32e1cf8a6d446ef50b4b22d90
-
SHA1
458d0d9b4a210e34e958e2806700a5b177ddd660
-
SHA256
6de5c4939b3168487631c164ffc007b883acc005f689fb91951a06b92b06ea27
-
SHA512
09be55f3cc24410aaff2e100ce78bd61780f7eac62e310dcab23798cfcf13c316452749c759ab5fd7ca676158552089af82053e25426b67004f237987e281ed4
Malware Config
Extracted
Protocol: ftp- Host:
ftp.rebu.co.rw - Port:
21 - Username:
[email protected] - Password:
o^Z0CIU?^yL2
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.rebu.co.rw/ - Port:
21 - Username:
[email protected] - Password:
o^Z0CIU?^yL2
Protocol: ftp- Host:
ftp://ftp.rebu.co.rw/ - Port:
21 - Username:
[email protected] - Password:
o^Z0CIU?^yL2
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1668-136-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
DraftSwift copy hpSCAN 2207110 SWIFT CONFIRMATION 4657754 AGST INV CON 702.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DraftSwift copy hpSCAN 2207110 SWIFT CONFIRMATION 4657754 AGST INV CON 702.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DraftSwift copy hpSCAN 2207110 SWIFT CONFIRMATION 4657754 AGST INV CON 702.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DraftSwift copy hpSCAN 2207110 SWIFT CONFIRMATION 4657754 AGST INV CON 702.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
DraftSwift copy hpSCAN 2207110 SWIFT CONFIRMATION 4657754 AGST INV CON 702.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IYLZX5 = "C:\\Users\\Admin\\AppData\\Roaming\\IYLZX5\\IYLZX5.exe" DraftSwift copy hpSCAN 2207110 SWIFT CONFIRMATION 4657754 AGST INV CON 702.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
DraftSwift copy hpSCAN 2207110 SWIFT CONFIRMATION 4657754 AGST INV CON 702.exedescription pid process target process PID 3192 set thread context of 1668 3192 DraftSwift copy hpSCAN 2207110 SWIFT CONFIRMATION 4657754 AGST INV CON 702.exe DraftSwift copy hpSCAN 2207110 SWIFT CONFIRMATION 4657754 AGST INV CON 702.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
DraftSwift copy hpSCAN 2207110 SWIFT CONFIRMATION 4657754 AGST INV CON 702.exeDraftSwift copy hpSCAN 2207110 SWIFT CONFIRMATION 4657754 AGST INV CON 702.exepid process 3192 DraftSwift copy hpSCAN 2207110 SWIFT CONFIRMATION 4657754 AGST INV CON 702.exe 3192 DraftSwift copy hpSCAN 2207110 SWIFT CONFIRMATION 4657754 AGST INV CON 702.exe 3192 DraftSwift copy hpSCAN 2207110 SWIFT CONFIRMATION 4657754 AGST INV CON 702.exe 3192 DraftSwift copy hpSCAN 2207110 SWIFT CONFIRMATION 4657754 AGST INV CON 702.exe 1668 DraftSwift copy hpSCAN 2207110 SWIFT CONFIRMATION 4657754 AGST INV CON 702.exe 1668 DraftSwift copy hpSCAN 2207110 SWIFT CONFIRMATION 4657754 AGST INV CON 702.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
DraftSwift copy hpSCAN 2207110 SWIFT CONFIRMATION 4657754 AGST INV CON 702.exeDraftSwift copy hpSCAN 2207110 SWIFT CONFIRMATION 4657754 AGST INV CON 702.exedescription pid process Token: SeDebugPrivilege 3192 DraftSwift copy hpSCAN 2207110 SWIFT CONFIRMATION 4657754 AGST INV CON 702.exe Token: SeDebugPrivilege 1668 DraftSwift copy hpSCAN 2207110 SWIFT CONFIRMATION 4657754 AGST INV CON 702.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
DraftSwift copy hpSCAN 2207110 SWIFT CONFIRMATION 4657754 AGST INV CON 702.exepid process 1668 DraftSwift copy hpSCAN 2207110 SWIFT CONFIRMATION 4657754 AGST INV CON 702.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
DraftSwift copy hpSCAN 2207110 SWIFT CONFIRMATION 4657754 AGST INV CON 702.exeDraftSwift copy hpSCAN 2207110 SWIFT CONFIRMATION 4657754 AGST INV CON 702.exedescription pid process target process PID 3192 wrote to memory of 1668 3192 DraftSwift copy hpSCAN 2207110 SWIFT CONFIRMATION 4657754 AGST INV CON 702.exe DraftSwift copy hpSCAN 2207110 SWIFT CONFIRMATION 4657754 AGST INV CON 702.exe PID 3192 wrote to memory of 1668 3192 DraftSwift copy hpSCAN 2207110 SWIFT CONFIRMATION 4657754 AGST INV CON 702.exe DraftSwift copy hpSCAN 2207110 SWIFT CONFIRMATION 4657754 AGST INV CON 702.exe PID 3192 wrote to memory of 1668 3192 DraftSwift copy hpSCAN 2207110 SWIFT CONFIRMATION 4657754 AGST INV CON 702.exe DraftSwift copy hpSCAN 2207110 SWIFT CONFIRMATION 4657754 AGST INV CON 702.exe PID 3192 wrote to memory of 1668 3192 DraftSwift copy hpSCAN 2207110 SWIFT CONFIRMATION 4657754 AGST INV CON 702.exe DraftSwift copy hpSCAN 2207110 SWIFT CONFIRMATION 4657754 AGST INV CON 702.exe PID 3192 wrote to memory of 1668 3192 DraftSwift copy hpSCAN 2207110 SWIFT CONFIRMATION 4657754 AGST INV CON 702.exe DraftSwift copy hpSCAN 2207110 SWIFT CONFIRMATION 4657754 AGST INV CON 702.exe PID 3192 wrote to memory of 1668 3192 DraftSwift copy hpSCAN 2207110 SWIFT CONFIRMATION 4657754 AGST INV CON 702.exe DraftSwift copy hpSCAN 2207110 SWIFT CONFIRMATION 4657754 AGST INV CON 702.exe PID 3192 wrote to memory of 1668 3192 DraftSwift copy hpSCAN 2207110 SWIFT CONFIRMATION 4657754 AGST INV CON 702.exe DraftSwift copy hpSCAN 2207110 SWIFT CONFIRMATION 4657754 AGST INV CON 702.exe PID 3192 wrote to memory of 1668 3192 DraftSwift copy hpSCAN 2207110 SWIFT CONFIRMATION 4657754 AGST INV CON 702.exe DraftSwift copy hpSCAN 2207110 SWIFT CONFIRMATION 4657754 AGST INV CON 702.exe PID 1668 wrote to memory of 4852 1668 DraftSwift copy hpSCAN 2207110 SWIFT CONFIRMATION 4657754 AGST INV CON 702.exe netsh.exe PID 1668 wrote to memory of 4852 1668 DraftSwift copy hpSCAN 2207110 SWIFT CONFIRMATION 4657754 AGST INV CON 702.exe netsh.exe PID 1668 wrote to memory of 4852 1668 DraftSwift copy hpSCAN 2207110 SWIFT CONFIRMATION 4657754 AGST INV CON 702.exe netsh.exe -
outlook_office_path 1 IoCs
Processes:
DraftSwift copy hpSCAN 2207110 SWIFT CONFIRMATION 4657754 AGST INV CON 702.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DraftSwift copy hpSCAN 2207110 SWIFT CONFIRMATION 4657754 AGST INV CON 702.exe -
outlook_win_path 1 IoCs
Processes:
DraftSwift copy hpSCAN 2207110 SWIFT CONFIRMATION 4657754 AGST INV CON 702.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DraftSwift copy hpSCAN 2207110 SWIFT CONFIRMATION 4657754 AGST INV CON 702.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DraftSwift copy hpSCAN 2207110 SWIFT CONFIRMATION 4657754 AGST INV CON 702.exe"C:\Users\Admin\AppData\Local\Temp\DraftSwift copy hpSCAN 2207110 SWIFT CONFIRMATION 4657754 AGST INV CON 702.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DraftSwift copy hpSCAN 2207110 SWIFT CONFIRMATION 4657754 AGST INV CON 702.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1668-135-0x0000000000000000-mapping.dmp
-
memory/1668-136-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1668-137-0x0000000005930000-0x0000000005996000-memory.dmpFilesize
408KB
-
memory/1668-138-0x00000000063F0000-0x0000000006440000-memory.dmpFilesize
320KB
-
memory/3192-130-0x00000000001D0000-0x0000000000276000-memory.dmpFilesize
664KB
-
memory/3192-131-0x00000000050F0000-0x0000000005694000-memory.dmpFilesize
5.6MB
-
memory/3192-132-0x0000000004B40000-0x0000000004BD2000-memory.dmpFilesize
584KB
-
memory/3192-133-0x00000000025A0000-0x00000000025AA000-memory.dmpFilesize
40KB
-
memory/3192-134-0x0000000008310000-0x00000000083AC000-memory.dmpFilesize
624KB
-
memory/4852-139-0x0000000000000000-mapping.dmp