General

  • Target

    Swift Copy_394349.img

  • Size

    60KB

  • Sample

    221101-nnf7msbdh5

  • MD5

    3cb7995eac2995c7a7221f6defc211f8

  • SHA1

    62e6dc51c147327079f7ce1ec74be0b97af6be14

  • SHA256

    1f72d62d0dc796897349974073d06f75278fd9824a83e78792ef598e7345af70

  • SHA512

    6b786d1571b07b5dfd5a11931fb3f0b2ee373759374567dc1c2d79d62207d2764067b36fcad3f14a20cfd5e86beead0774862ead82a019f5aaea91ba99414d49

  • SSDEEP

    192:E4X1w+zIHTL5OIU3/N38stYcFmVc03KY:E4XdczL5OIe3ptYcFmVc03K

Malware Config

Targets

    • Target

      Swift Copy_394349.exe

    • Size

      9KB

    • MD5

      468ae9ce007c37bddd12ca164b0e5755

    • SHA1

      9fa75e7e6ad0146ca02962e94b3003bbb9f27525

    • SHA256

      a896f8c6f032d59af2c92b4ce005b141b8cd396dcb1a527ce5b8b04929004471

    • SHA512

      5779a4c0a0d01118945c06556d1473fc756ebb10e1402c0562d50b86ccd9d20c6048c04eb33f98392d8ca33aed5915c09e5201a1e1ca5ff5f853dadb651d684a

    • SSDEEP

      192:l4X1w+zIHTL5OIU3/N38stYcFmVc03KY:l4XdczL5OIe3ptYcFmVc03K

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks