Overview

overview

10

Static

static

3

Swift scan.exe

windows7-x64

10

Swift scan.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 05:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Swift scan.exe

  • Size

    844KB

  • MD5

    2b09b0e829ae8e3baf44ea7597e9d83a

  • SHA1

    23e22129c79e41808ba77bf99a1bf8e77d8e5182

  • SHA256

    167a7a33c321ff9bf91a313c19edb14c195c34662c465560a868e6d2d8f214ad

  • SHA512

    82a3e5a413fd985ab0e868fba65312429a5686fa49f91d19ca670bf85988f3548205bd7b6ab69c6f0080555726a83bbc309b57917004c7bb7957f94235da9a4e

  • SSDEEP

    12288:SJx504bFtx504bFWxETdmtCJET9OziEECUBOwHOGnaOjiobasXd37G:gw4bjw4bnpRzMOQbTN7

Score
10/10
agentteslaexecutionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.bonnyriggdentalsurgery.com.au
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Sages101*

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Swift scan.exe
    "C:\Users\Admin\AppData\Local\Temp\Swift scan.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3380
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Swift scan.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2636
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\SePSCGQw.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4888
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SePSCGQw" /XML "C:\Users\Admin\AppData\Local\Temp\tmp829D.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:4488

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    968cb9309758126772781b83adb8a28f

    SHA1

    8da30e71accf186b2ba11da1797cf67f8f78b47c

    SHA256

    92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

    SHA512

    4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    8d9ff38f8408f43edb053fdbf056ddaa

    SHA1

    b5b2a65a1d2a9efe091c77cf85e576ec01eae8f4

    SHA256

    a529fd03224a661092d90c25d6c964dedb5a8409673717b9d38fde4db59ebf5c

    SHA512

    faa776a2d0f15f09cb34c8720dbb9d69ab0c280de0148f4716e34bc0078d6ef5e3d4ddec405242006667d35df555c02834c8cbee14c890f92376e9d8d36dc830

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yqtqwodz.01d.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp829D.tmp
    Filesize

    1KB

    MD5

    46426533f5fae3d8f40341550640125b

    SHA1

    f177673556de3cb18fdeda0e5ab82a636629f250

    SHA256

    98d3b03d00ecd530b008eb7c9e94eab23a38158e18519828f987da38e78c3482

    SHA512

    af75d6dbc8a4a4a2962f6f6be7140c9a2f3dd3bc1d39eefcfb87a6e2116dbfb67832f43e1cd3c7555893133c317b264ed74e2cb488c0fdf4f01f8a384a5759ec

    Download Submit

  • memory/2636-86-0x0000000074C80000-0x0000000075430000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2636-24-0x0000000074C80000-0x0000000075430000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2636-78-0x00000000076A0000-0x00000000076B4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2636-74-0x00000000076E0000-0x0000000007776000-memory.dmp

    Filesize

    600KB

    Download

  • memory/2636-79-0x00000000077A0000-0x00000000077BA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2636-71-0x0000000007AA0000-0x000000000811A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/2636-14-0x0000000002820000-0x0000000002856000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2636-16-0x0000000005330000-0x0000000005958000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/2636-15-0x0000000074C80000-0x0000000075430000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2636-17-0x0000000074C80000-0x0000000075430000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2636-72-0x0000000007460000-0x000000000747A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2636-80-0x0000000007780000-0x0000000007788000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2636-60-0x000000006FCC0000-0x000000006FD0C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2636-23-0x0000000005AD0000-0x0000000005B36000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2636-22-0x0000000005A60000-0x0000000005AC6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2636-47-0x00000000061D0000-0x000000000621C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2636-46-0x0000000006140000-0x000000000615E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2636-21-0x0000000005260000-0x0000000005282000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2636-35-0x0000000005B40000-0x0000000005E94000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/3380-88-0x0000000074C8E000-0x0000000074C8F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3380-5-0x0000000005540000-0x00000000055DC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/3380-30-0x0000000006550000-0x0000000006592000-memory.dmp

    Filesize

    264KB

    Download

  • memory/3380-3-0x00000000051D0000-0x0000000005262000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3380-76-0x0000000007380000-0x00000000073D0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/3380-2-0x0000000005870000-0x0000000005E14000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3380-0-0x0000000074C8E000-0x0000000074C8F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3380-1-0x0000000000710000-0x00000000007E6000-memory.dmp

    Filesize

    856KB

    Download

  • memory/3380-9-0x00000000063D0000-0x0000000006454000-memory.dmp

    Filesize

    528KB

    Download

  • memory/3380-89-0x0000000074C80000-0x0000000075430000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3380-4-0x0000000005280000-0x000000000528A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3380-8-0x0000000005340000-0x0000000005350000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3380-7-0x0000000005F20000-0x0000000005F3A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3380-6-0x0000000074C80000-0x0000000075430000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4888-36-0x0000000074C80000-0x0000000075430000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4888-77-0x0000000007C60000-0x0000000007C6E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/4888-75-0x0000000007C30000-0x0000000007C41000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4888-73-0x0000000007AB0000-0x0000000007ABA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4888-70-0x0000000007920000-0x00000000079C3000-memory.dmp

    Filesize

    652KB

    Download

  • memory/4888-48-0x00000000078E0000-0x0000000007912000-memory.dmp

    Filesize

    200KB

    Download

  • memory/4888-59-0x0000000006CB0000-0x0000000006CCE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4888-87-0x0000000074C80000-0x0000000075430000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4888-49-0x000000006FCC0000-0x000000006FD0C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4888-20-0x0000000074C80000-0x0000000075430000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4888-18-0x0000000074C80000-0x0000000075430000-memory.dmp

    Filesize

    7.7MB

    Download