Overview

overview

10

Static

static

3

SWIFT COPY.exe

windows7-x64

10

SWIFT COPY.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    ad9ecacc69ace0611e6004c4e42dc1b296936a6af88987981495d02ec49510eb.rar

  • Size

    694KB

  • Sample

    240502-cc3qqadg61

  • MD5

    5cdd9d0479133cb5c77d1d9fdfbb5255

  • SHA1

    d59cb8b30d30d2d89655c1a18aefbd6b7768acc5

  • SHA256

    ad9ecacc69ace0611e6004c4e42dc1b296936a6af88987981495d02ec49510eb

  • SHA512

    d6d808c1ee7f70997786c81e8b9981b253ec12ce60690204779d61053895ff54abcabca2ee10db1bbcbe16ec09a902cf65df269ddf3f88df0e381bf21d0e3770

  • SSDEEP

    12288:7fRgiwm0f9vS12Fqp9+FVEWm5sPntJTOvZ1UXmUDTjX9P+sZscajGsKunKG:im0EMFgEFV7Znt2I1DTzYGLuKG

Score
10/10
agentteslakeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.starmech.net
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    nics123

Targets

    • Target

      SWIFT COPY.exe

    • Size

      793KB

    • MD5

      b72be9d3d457c7e745b6f9647ebb7223

    • SHA1

      047da905ef9d90946745a68409908040b63eee54

    • SHA256

      ca4db0fd02f9a6e22c53d273087156269b720cf0b92140c67cc0cbc9d279cc26

    • SHA512

      df4cba22bab94c5c1eb44f5e769db23e72547cb402215df31edb1e449882bee93ed8c37030c3d0df73f9dc67ad275e5e183505b5600b0829f1d7cfa91188109d

    • SSDEEP

      24576:TIUVMtlmWygnOwYpC/u8I7dLGedse/0sl:05t8WAwYWu8OLZdse/0s

    Score
    10/10
    agentteslakeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables packed with SmartAssembly

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks