General

  • Target

    1a03ef8677042233f7bd4ba09c35eb55a3dfb538cc94063638758ee5fdb08779

  • Size

    203KB

  • Sample

    220521-xf1ezsbfd4

  • MD5

    83b65d2e08c04c14a74d9087c3fd4fc7

  • SHA1

    e509e1b20cdd5b4886517cc0ec40498c561008b0

  • SHA256

    1a03ef8677042233f7bd4ba09c35eb55a3dfb538cc94063638758ee5fdb08779

  • SHA512

    cfb8b4b302d7d61ec2151c45daddf8c24cf3230293f206e0b11cc73673d7d270f70fc615f8e56805a648a64ba985b67f5b672e886ee1273785ea8a425f84f11b

Malware Config

Targets

    • Target

      swift.exe

    • Size

      136KB

    • MD5

      198cd80e37da0dbbaf969749e7ea1f9c

    • SHA1

      d6e5dcad5b0ceae5db56d62750554d69e9c569b2

    • SHA256

      2fe7660d58b881541c1f929382f478d19f17fdb56f2e8b313b8cfc0545a615bd

    • SHA512

      f5d509e4ee75878f079109e4b8a056f850b67587b92e6d088e66bd79c05fdedaafb379b00d6e950bd7ab9f129351ec7be0aa911c5722254b2ea6e7eb3fc02b9d

    • suricata: ET MALWARE AgentTesla PWS HTTP CnC Checkin

      suricata: ET MALWARE AgentTesla PWS HTTP CnC Checkin

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    • Target

      swift.scr

    • Size

      136KB

    • MD5

      198cd80e37da0dbbaf969749e7ea1f9c

    • SHA1

      d6e5dcad5b0ceae5db56d62750554d69e9c569b2

    • SHA256

      2fe7660d58b881541c1f929382f478d19f17fdb56f2e8b313b8cfc0545a615bd

    • SHA512

      f5d509e4ee75878f079109e4b8a056f850b67587b92e6d088e66bd79c05fdedaafb379b00d6e950bd7ab9f129351ec7be0aa911c5722254b2ea6e7eb3fc02b9d

    • suricata: ET MALWARE AgentTesla PWS HTTP CnC Checkin

      suricata: ET MALWARE AgentTesla PWS HTTP CnC Checkin

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

2
T1060

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

6
T1081

Collection

Data from Local System

6
T1005

Email Collection

2
T1114

Tasks