Analysis
-
max time kernel
100s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
08-07-2022 00:07
Static task
static1
Behavioral task
behavioral1
Sample
Swift Copy.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Swift Copy.exe
Resource
win10v2004-20220414-en
General
-
Target
Swift Copy.exe
-
Size
461KB
-
MD5
7c4e3e90c83dc1ce60a34ca9a1cb5fbd
-
SHA1
45cd96b6273430c6540fd51b811d46c1ca192d2e
-
SHA256
0fabbaf7f8ad7af3888aa77b2e376db74390064ea8eea0c54fee59fdc2cd54c8
-
SHA512
c79b983f7d84be227f6741bbe0b2cc73bcdb800528d898e52c4030a468c980a5b46a7c01c16a9bf7d78fd855a7982d525c562a04e5cc7804e0abdd585e700523
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
janet_maldonado@taiemerica.com - Password:
JuCbr%o3
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer 1 IoCs
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
Processes:
resource yara_rule behavioral1/memory/876-56-0x0000000000420000-0x0000000000428000-memory.dmp coreentity -
AgentTesla payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/2020-61-0x0000000000400000-0x000000000044E000-memory.dmp family_agenttesla behavioral1/memory/2020-62-0x0000000000400000-0x000000000044E000-memory.dmp family_agenttesla behavioral1/memory/2020-63-0x0000000000400000-0x000000000044E000-memory.dmp family_agenttesla behavioral1/memory/2020-64-0x000000000044997E-mapping.dmp family_agenttesla behavioral1/memory/2020-66-0x0000000000400000-0x000000000044E000-memory.dmp family_agenttesla behavioral1/memory/2020-68-0x0000000000400000-0x000000000044E000-memory.dmp family_agenttesla -
ReZer0 packer 1 IoCs
Detects ReZer0, a packer with multiple versions used in various campaigns.
Processes:
resource yara_rule behavioral1/memory/876-57-0x00000000007F0000-0x0000000000846000-memory.dmp rezer0 -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Swift Copy.exedescription pid process target process PID 876 set thread context of 2020 876 Swift Copy.exe RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.exepid process 2020 RegSvcs.exe 2020 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 2020 RegSvcs.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Swift Copy.exedescription pid process target process PID 876 wrote to memory of 2020 876 Swift Copy.exe RegSvcs.exe PID 876 wrote to memory of 2020 876 Swift Copy.exe RegSvcs.exe PID 876 wrote to memory of 2020 876 Swift Copy.exe RegSvcs.exe PID 876 wrote to memory of 2020 876 Swift Copy.exe RegSvcs.exe PID 876 wrote to memory of 2020 876 Swift Copy.exe RegSvcs.exe PID 876 wrote to memory of 2020 876 Swift Copy.exe RegSvcs.exe PID 876 wrote to memory of 2020 876 Swift Copy.exe RegSvcs.exe PID 876 wrote to memory of 2020 876 Swift Copy.exe RegSvcs.exe PID 876 wrote to memory of 2020 876 Swift Copy.exe RegSvcs.exe PID 876 wrote to memory of 2020 876 Swift Copy.exe RegSvcs.exe PID 876 wrote to memory of 2020 876 Swift Copy.exe RegSvcs.exe PID 876 wrote to memory of 2020 876 Swift Copy.exe RegSvcs.exe -
outlook_office_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe"C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/876-54-0x00000000002C0000-0x000000000033A000-memory.dmpFilesize
488KB
-
memory/876-55-0x0000000074DE1000-0x0000000074DE3000-memory.dmpFilesize
8KB
-
memory/876-56-0x0000000000420000-0x0000000000428000-memory.dmpFilesize
32KB
-
memory/876-57-0x00000000007F0000-0x0000000000846000-memory.dmpFilesize
344KB
-
memory/2020-59-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/2020-58-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/2020-61-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/2020-62-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/2020-63-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/2020-64-0x000000000044997E-mapping.dmp
-
memory/2020-66-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/2020-68-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB