Analysis
-
max time kernel
118s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-11-2022 17:24
Static task
static1
Behavioral task
behavioral1
Sample
SWIFT copy.29112022.Pdf.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
SWIFT copy.29112022.Pdf.exe
Resource
win10v2004-20220812-en
General
-
Target
SWIFT copy.29112022.Pdf.exe
-
Size
745KB
-
MD5
5f400bae896422a69db460a4507fd657
-
SHA1
e90b7c431d34b39bef8492de7fb987f51c3fb804
-
SHA256
d5de496be1535d0b8d9c8f57087e9ae2a26aaf7c33c2ddca65b3231dc3b2460b
-
SHA512
7e54192c570d2a7fe7700d69bd782173dfe41dc102afceffbda47207d4bfcb80783f7c70bf9666e287ccbcf413bf482aeb321fe559ba7b75ae43416b0feee643
-
SSDEEP
12288:ZYn2P8Ai1FDasqS6/0kz0z63eR7J/ZmhOQQVvedp:qn20t1Ffl+0kzAttq62
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.nutiribio.com - Port:
587 - Username:
humhum@nutiribio.com - Password:
zGNVO(l5
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/736-138-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SWIFT copy.29112022.Pdf.exedescription pid process target process PID 4364 set thread context of 736 4364 SWIFT copy.29112022.Pdf.exe SWIFT copy.29112022.Pdf.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
SWIFT copy.29112022.Pdf.exepid process 736 SWIFT copy.29112022.Pdf.exe 736 SWIFT copy.29112022.Pdf.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
SWIFT copy.29112022.Pdf.exedescription pid process Token: SeDebugPrivilege 736 SWIFT copy.29112022.Pdf.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
SWIFT copy.29112022.Pdf.exedescription pid process target process PID 4364 wrote to memory of 736 4364 SWIFT copy.29112022.Pdf.exe SWIFT copy.29112022.Pdf.exe PID 4364 wrote to memory of 736 4364 SWIFT copy.29112022.Pdf.exe SWIFT copy.29112022.Pdf.exe PID 4364 wrote to memory of 736 4364 SWIFT copy.29112022.Pdf.exe SWIFT copy.29112022.Pdf.exe PID 4364 wrote to memory of 736 4364 SWIFT copy.29112022.Pdf.exe SWIFT copy.29112022.Pdf.exe PID 4364 wrote to memory of 736 4364 SWIFT copy.29112022.Pdf.exe SWIFT copy.29112022.Pdf.exe PID 4364 wrote to memory of 736 4364 SWIFT copy.29112022.Pdf.exe SWIFT copy.29112022.Pdf.exe PID 4364 wrote to memory of 736 4364 SWIFT copy.29112022.Pdf.exe SWIFT copy.29112022.Pdf.exe PID 4364 wrote to memory of 736 4364 SWIFT copy.29112022.Pdf.exe SWIFT copy.29112022.Pdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SWIFT copy.29112022.Pdf.exe"C:\Users\Admin\AppData\Local\Temp\SWIFT copy.29112022.Pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SWIFT copy.29112022.Pdf.exe"C:\Users\Admin\AppData\Local\Temp\SWIFT copy.29112022.Pdf.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/736-137-0x0000000000000000-mapping.dmp
-
memory/736-138-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/736-139-0x00000000060A0000-0x0000000006106000-memory.dmpFilesize
408KB
-
memory/4364-132-0x0000000000EF0000-0x0000000000FB0000-memory.dmpFilesize
768KB
-
memory/4364-133-0x0000000006060000-0x0000000006604000-memory.dmpFilesize
5.6MB
-
memory/4364-134-0x0000000005970000-0x0000000005A02000-memory.dmpFilesize
584KB
-
memory/4364-135-0x0000000005960000-0x000000000596A000-memory.dmpFilesize
40KB
-
memory/4364-136-0x0000000008430000-0x00000000084CC000-memory.dmpFilesize
624KB