Overview

overview

10

Static

static

3

Swift Copy...pg.exe

windows7-x64

10

Swift Copy...pg.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ebd85d1286d8752ea32ac03723f3da097f7818d80ea4072fbb9a70deb3c7914a

  • Size

    1.2MB

  • Sample

    240727-bgd3gswhkn

  • MD5

    ad454595fabe2092a6457f9301bc4382

  • SHA1

    453b47bdedf94106805578789157e98f6586c03c

  • SHA256

    ebd85d1286d8752ea32ac03723f3da097f7818d80ea4072fbb9a70deb3c7914a

  • SHA512

    4c145a1869f0322ee23ad8893ae23e6cf820e1d57d86dd5b1666c820a7be661e3273ff9d8dbc08be2c9310c10f5f92f4d709b69b9ad8033466e4139f8dba9a3a

  • SSDEEP

    24576:3v62AsK7UdbB/GMdJ/hrKw9X9F2W0XdOfI1dI19S30Kz8WhMje8e/GO9x:K7UVB/GMdLrKutFaXd8Sd4S30KxPfGy

Score
10/10
agentteslacredential_accessdiscoverykeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://inhanoi.net.vn
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    ^TSt3!FK$UBA

Targets

    • Target

      Swift Copy 03744 jpg.exe

    • Size

      2.3MB

    • MD5

      cb88d49c512d2f2c541197bf8441fef4

    • SHA1

      7010cfd455958017b4d2f24e9daa1c87e4a99671

    • SHA256

      04b00242475d924b26346af52958d9f69649b80b308c5b2693c4336df1c77d91

    • SHA512

      02008bec364dcaa3e9f1aaafe135b3c8975e0bef9718a3bd7f984372c9c89ce72af0167dfae3a8c05ecf42d0b16ab8c40d13229cf08f2efdee7768f808a0c04d

    • SSDEEP

      49152:kg7eO7kjTav5AwVZG0Y3uS+s1vm1lPt+uf9u:x7lqmVu

    Score
    10/10
    agentteslacredential_accessdiscoverykeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Discovery

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks