Overview

overview

10

Static

static

1

swft copy ...00.exe

windows7-x64

10

swft copy ...00.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    swft copy $57,000.00.zip

  • Size

    504KB

  • Sample

    230328-vxn26scb86

  • MD5

    38726969f39da0e76da2acb6d5ae0811

  • SHA1

    4fa52094aeb1926e5c1a8d96fa91944f3b6f63de

  • SHA256

    4485f9c31e36464caa819388805c34e62f5e6467677e46244c8bdc9cb6338044

  • SHA512

    40c854eb59cf81d0af85a85aa9eceb5f0a55b7e14ab33e45983bb0d2d3c953178c081e2c56262dcf7c93a6e256f2df90abfb26aeb833d719f9d1618fdc16af80

  • SSDEEP

    12288:lqmBt6tNylLLpBEg9w31O1mjAe6KyLHfWBmgK0Ykghi:lJf6tNApB5u31EVeZyDfak0YkL

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.southernboilers.org
  • Port:
    587
  • Username:
    info@southernboilers.org
  • Password:
    Sksmoke2018#
  • Email To:
    obtxxxtf@gmail.com

Targets

    • Target

      swft copy $57,000.00.exe

    • Size

      741KB

    • MD5

      40077888e6bb26f772519a6ed8e503b4

    • SHA1

      1b0026ac6a5a9ac704e211916f03dbf120529d0e

    • SHA256

      33f7516da3fd501837bfd69123229607d900dabf2d94d4f140b613a39c740c92

    • SHA512

      07411139bc664c2edb509b6461828fe7ec80ab209bfe9080a14c118cd39aeb9d7460a149184ced71b916c985e10fef7ad2942541f6d088422a32d99e8c0a126e

    • SSDEEP

      12288:nNNnqMhbkNyVL5pDEgTw3pO1mNAecKyihZj9196hBCyeT:n7ndxkNOpD5c3pEFePyihihBCyeT

    Score
    10/10
    agentteslacollectionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks