Overview

overview

10

Static

static

3

RCP0000046...PY.exe

windows7-x64

10

RCP0000046...PY.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240319-en
  • resource tags

    arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system
  • submitted
    27-03-2024 09:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RCP000004689 SWIFT COPY.exe

  • Size

    658KB

  • MD5

    288ca7008a4c4c5209c6ec3e140686bc

  • SHA1

    70ce1b94aa00f963cf520b436c2d5559b7d44107

  • SHA256

    15d2a43a0424b074f4e9f306f95bd04f9a3c33561b021364a8edaa78767c631c

  • SHA512

    a7ce1d18fa745e0c1c55af0e3cdbb7c9b32ffb1eecb9f1075978c283e8b34edf83607711de93abed5293bb9e6143862a6980ce8d3dd72bcf084dfb9647a0fece

  • SSDEEP

    12288:fH2iNlw0QKtgmz6wAAGCtp46wxdpXSiYFvaytWF7Mvs6gcGBWYTzqbC:v1Xhfz6aG8oMi7F7QuWY6G

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RCP000004689 SWIFT COPY.exe
    "C:\Users\Admin\AppData\Local\Temp\RCP000004689 SWIFT COPY.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1916
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\RCP000004689 SWIFT COPY.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2496
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\BAAoHtZjEgl.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2688
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BAAoHtZjEgl" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5DF8.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2544
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2172

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp5DF8.tmp
    Filesize

    1KB

    MD5

    e8e6bb8712e5d15e28f67352af46dbfb

    SHA1

    0eed2f7cfcecc6c6535ebb3d0ef35ef1531e4ecf

    SHA256

    7a63200adeb5682c7f66bc3681a19e8f6ac668211f8d19b9d4ba7fd55cabf9f0

    SHA512

    7890085e2947df157ed7738ec4e54dd5d7b7f9ccb7bb9386fa3eccde1e6807f5c919420b41c88f66cdf5b48afa9fb6db701c2a0dfeea69fb0cd4f112a0e7f607

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KYN0BKE289ARP55KUMBV.temp
    Filesize

    7KB

    MD5

    a66ac00d667e58355e82d7c0cabd4be6

    SHA1

    9d8f4f44ce5b4835b479b757f0302bde0ff35afe

    SHA256

    f7300630d9debfc51dc4aa47620eff3b46c87916b41debf1bdcc4a627dc4a19f

    SHA512

    1685b96f0b7dcc53c799fba719912c28160d0d3d187992c73a798a8021d75a1b17caffa8176f34634c9ebf0ae4880822f4da6d0c51dbcb9e374af998320d3ec2

    Download Submit
  • memory/1916-27-0x0000000074320000-0x0000000074A0E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1916-3-0x0000000000340000-0x0000000000352000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1916-4-0x00000000003A0000-0x00000000003AC000-memory.dmp
    Filesize

    48KB

    Download
  • memory/1916-5-0x00000000052E0000-0x0000000005362000-memory.dmp
    Filesize

    520KB

    Download
  • memory/1916-2-0x0000000001EB0000-0x0000000001EF0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1916-0-0x0000000000280000-0x0000000000328000-memory.dmp
    Filesize

    672KB

    Download
  • memory/1916-1-0x0000000074320000-0x0000000074A0E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2172-19-0x0000000000400000-0x0000000000442000-memory.dmp
    Filesize

    264KB

    Download
  • memory/2172-20-0x0000000000400000-0x0000000000442000-memory.dmp
    Filesize

    264KB

    Download
  • memory/2172-21-0x0000000000400000-0x0000000000442000-memory.dmp
    Filesize

    264KB

    Download
  • memory/2172-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2172-24-0x0000000000400000-0x0000000000442000-memory.dmp
    Filesize

    264KB

    Download
  • memory/2172-42-0x0000000000DD0000-0x0000000000E10000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2172-36-0x0000000073240000-0x000000007392E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2172-18-0x0000000000400000-0x0000000000442000-memory.dmp
    Filesize

    264KB

    Download
  • memory/2172-41-0x0000000073240000-0x000000007392E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2172-26-0x0000000000400000-0x0000000000442000-memory.dmp
    Filesize

    264KB

    Download
  • memory/2172-37-0x0000000000DD0000-0x0000000000E10000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2172-29-0x0000000000400000-0x0000000000442000-memory.dmp
    Filesize

    264KB

    Download
  • memory/2496-39-0x000000006E060000-0x000000006E60B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2496-35-0x00000000028A0000-0x00000000028E0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2496-38-0x00000000028A0000-0x00000000028E0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2496-30-0x000000006E060000-0x000000006E60B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2496-33-0x000000006E060000-0x000000006E60B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2688-34-0x00000000003E0000-0x0000000000420000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2688-32-0x00000000003E0000-0x0000000000420000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2688-40-0x000000006E060000-0x000000006E60B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2688-31-0x000000006E060000-0x000000006E60B000-memory.dmp
    Filesize

    5.7MB

    Download