Analysis
-
max time kernel
120s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28-03-2024 02:38
Static task
static1
Behavioral task
behavioral1
Sample
RCP000004689 SWIFT COPY.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
RCP000004689 SWIFT COPY.exe
Resource
win10v2004-20240319-en
General
-
Target
RCP000004689 SWIFT COPY.exe
-
Size
658KB
-
MD5
288ca7008a4c4c5209c6ec3e140686bc
-
SHA1
70ce1b94aa00f963cf520b436c2d5559b7d44107
-
SHA256
15d2a43a0424b074f4e9f306f95bd04f9a3c33561b021364a8edaa78767c631c
-
SHA512
a7ce1d18fa745e0c1c55af0e3cdbb7c9b32ffb1eecb9f1075978c283e8b34edf83607711de93abed5293bb9e6143862a6980ce8d3dd72bcf084dfb9647a0fece
-
SSDEEP
12288:fH2iNlw0QKtgmz6wAAGCtp46wxdpXSiYFvaytWF7Mvs6gcGBWYTzqbC:v1Xhfz6aG8oMi7F7QuWY6G
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
sg2plcpnl0128.prod.sin2.secureserver.net - Port:
587 - Username:
accounts@equityhyundai.com - Password:
oc27-JcbRAO~ - Email To:
xqalloys@gmail.com
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4. 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2452-20-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2452-22-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2452-26-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2452-31-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2452-35-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_EXE_Packed_GEN01 -
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2452-20-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2452-22-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2452-26-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2452-31-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2452-35-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers -
Detects executables packed with SmartAssembly 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2192-4-0x0000000001D60000-0x0000000001D6C000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly -
Detects executables referencing Windows vault credential objects. Observed in infostealers 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2452-20-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2452-22-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2452-26-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2452-31-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2452-35-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID -
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2452-20-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2452-22-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2452-26-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2452-31-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2452-35-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store -
Detects executables referencing many email and collaboration clients. Observed in information stealers 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2452-20-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2452-22-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2452-26-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2452-31-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2452-35-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients -
Detects executables referencing many file transfer clients. Observed in information stealers 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2452-20-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2452-22-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2452-26-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2452-31-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2452-35-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org 5 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
RCP000004689 SWIFT COPY.exedescription pid process target process PID 2192 set thread context of 2452 2192 RCP000004689 SWIFT COPY.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
RCP000004689 SWIFT COPY.exepowershell.exepowershell.exeRegSvcs.exepid process 2192 RCP000004689 SWIFT COPY.exe 2192 RCP000004689 SWIFT COPY.exe 2740 powershell.exe 1172 powershell.exe 2452 RegSvcs.exe 2452 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
RCP000004689 SWIFT COPY.exepowershell.exepowershell.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 2192 RCP000004689 SWIFT COPY.exe Token: SeDebugPrivilege 2740 powershell.exe Token: SeDebugPrivilege 1172 powershell.exe Token: SeDebugPrivilege 2452 RegSvcs.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
RCP000004689 SWIFT COPY.exedescription pid process target process PID 2192 wrote to memory of 2740 2192 RCP000004689 SWIFT COPY.exe powershell.exe PID 2192 wrote to memory of 2740 2192 RCP000004689 SWIFT COPY.exe powershell.exe PID 2192 wrote to memory of 2740 2192 RCP000004689 SWIFT COPY.exe powershell.exe PID 2192 wrote to memory of 2740 2192 RCP000004689 SWIFT COPY.exe powershell.exe PID 2192 wrote to memory of 1172 2192 RCP000004689 SWIFT COPY.exe powershell.exe PID 2192 wrote to memory of 1172 2192 RCP000004689 SWIFT COPY.exe powershell.exe PID 2192 wrote to memory of 1172 2192 RCP000004689 SWIFT COPY.exe powershell.exe PID 2192 wrote to memory of 1172 2192 RCP000004689 SWIFT COPY.exe powershell.exe PID 2192 wrote to memory of 2700 2192 RCP000004689 SWIFT COPY.exe schtasks.exe PID 2192 wrote to memory of 2700 2192 RCP000004689 SWIFT COPY.exe schtasks.exe PID 2192 wrote to memory of 2700 2192 RCP000004689 SWIFT COPY.exe schtasks.exe PID 2192 wrote to memory of 2700 2192 RCP000004689 SWIFT COPY.exe schtasks.exe PID 2192 wrote to memory of 2452 2192 RCP000004689 SWIFT COPY.exe RegSvcs.exe PID 2192 wrote to memory of 2452 2192 RCP000004689 SWIFT COPY.exe RegSvcs.exe PID 2192 wrote to memory of 2452 2192 RCP000004689 SWIFT COPY.exe RegSvcs.exe PID 2192 wrote to memory of 2452 2192 RCP000004689 SWIFT COPY.exe RegSvcs.exe PID 2192 wrote to memory of 2452 2192 RCP000004689 SWIFT COPY.exe RegSvcs.exe PID 2192 wrote to memory of 2452 2192 RCP000004689 SWIFT COPY.exe RegSvcs.exe PID 2192 wrote to memory of 2452 2192 RCP000004689 SWIFT COPY.exe RegSvcs.exe PID 2192 wrote to memory of 2452 2192 RCP000004689 SWIFT COPY.exe RegSvcs.exe PID 2192 wrote to memory of 2452 2192 RCP000004689 SWIFT COPY.exe RegSvcs.exe PID 2192 wrote to memory of 2452 2192 RCP000004689 SWIFT COPY.exe RegSvcs.exe PID 2192 wrote to memory of 2452 2192 RCP000004689 SWIFT COPY.exe RegSvcs.exe PID 2192 wrote to memory of 2452 2192 RCP000004689 SWIFT COPY.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RCP000004689 SWIFT COPY.exe"C:\Users\Admin\AppData\Local\Temp\RCP000004689 SWIFT COPY.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\RCP000004689 SWIFT COPY.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\BAAoHtZjEgl.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BAAoHtZjEgl" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7E35.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp7E35.tmpFilesize
1KB
MD5476e615f548162969670758f7cfdc876
SHA197fec40598798bc383a5a39292d287e92bc54c59
SHA2563b261b05ab523d9e83ee7990a520c3e505f4de13c4507f806349aa3f96024b7b
SHA5126fbc0cb80f3f1b58948ecd83dbddb529c7ba35fa8b10b409b6e4909e56cde2d4f132524a58a8fc65dbceaeee693f6979194836ffb9771d77dc69ca5bc3e5bd4d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD57cc74a601927da4ff783e73b911caf55
SHA120cb10dd6393446702f8f7a010c76574877dc3d2
SHA25695167a80429b98823c9aea730a085becfc6c64033abde4365f1fb010b215f60d
SHA5126dd8df4de21ec7c66d03888684076e22c919a3e21d4c09475bd0a829652142f0970be0784e688bbec66ff85896b2b23c93e10f0d6e45649a2c072f743447fcda
-
memory/1172-39-0x000000006F170000-0x000000006F71B000-memory.dmpFilesize
5.7MB
-
memory/1172-34-0x0000000002360000-0x00000000023A0000-memory.dmpFilesize
256KB
-
memory/1172-29-0x000000006F170000-0x000000006F71B000-memory.dmpFilesize
5.7MB
-
memory/2192-0-0x0000000000080000-0x0000000000128000-memory.dmpFilesize
672KB
-
memory/2192-1-0x00000000742E0000-0x00000000749CE000-memory.dmpFilesize
6.9MB
-
memory/2192-2-0x0000000004AF0000-0x0000000004B30000-memory.dmpFilesize
256KB
-
memory/2192-3-0x0000000001D40000-0x0000000001D52000-memory.dmpFilesize
72KB
-
memory/2192-4-0x0000000001D60000-0x0000000001D6C000-memory.dmpFilesize
48KB
-
memory/2192-5-0x00000000051B0000-0x0000000005232000-memory.dmpFilesize
520KB
-
memory/2192-30-0x00000000742E0000-0x00000000749CE000-memory.dmpFilesize
6.9MB
-
memory/2452-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2452-35-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2452-40-0x0000000072FE0000-0x00000000736CE000-memory.dmpFilesize
6.9MB
-
memory/2452-31-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2452-22-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2452-20-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2452-18-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2452-26-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2452-19-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2452-37-0x0000000072FE0000-0x00000000736CE000-memory.dmpFilesize
6.9MB
-
memory/2740-36-0x00000000024B0000-0x00000000024F0000-memory.dmpFilesize
256KB
-
memory/2740-32-0x000000006F170000-0x000000006F71B000-memory.dmpFilesize
5.7MB
-
memory/2740-38-0x000000006F170000-0x000000006F71B000-memory.dmpFilesize
5.7MB
-
memory/2740-28-0x000000006F170000-0x000000006F71B000-memory.dmpFilesize
5.7MB