Overview

overview

10

Static

static

3

Swift Copy.exe

windows7-x64

10

Swift Copy.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d0e2112790995d909ce7fd9abea65b07_JaffaCakes118

  • Size

    453KB

  • Sample

    240907-cwhvnazhkl

  • MD5

    d0e2112790995d909ce7fd9abea65b07

  • SHA1

    477baf5e685c80485d04955e2c0eb2e71a538afd

  • SHA256

    b1af5a3a684f0596d404534607a2ae8c8cb79996fbbf7081ce6b854e861168f3

  • SHA512

    84c32acdb87d187512eb1a1279d5fbb141b111efd0e78e1d13c001ecce3b9324bd026e949465af36bd56610fdd0887ee28c60aa7b7a7d1cc123b33167df533eb

  • SSDEEP

    12288:SN0RXA9HbPRE/YELhRebQsCJ1jx5bCrV9cbNic:yMA97U3ReMsCLzmVSN3

Score
10/10
agentteslacollectioncredential_accessdiscoverykeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.seshsupports.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    User@40378

Targets

    • Target

      Swift Copy.exe

    • Size

      679KB

    • MD5

      c56e32027ccd7a04db2cb6ebbb39bcf2

    • SHA1

      36615574cd8728ebffd48a89f39760752451bfd4

    • SHA256

      a7dc1b812cdc25fb3eb7a0e8e9e32e75a395b35621ac0f743cbccfaf1da56b51

    • SHA512

      c5b2f6c30950cc7cbb084dedf89b00712e40ca88fcedd6dd722c66da27f335f1e21879a5ff38802d676e457bbd5ee4554b1f85f3e3da2212722adaaa4c76a47e

    • SSDEEP

      12288:TRP56V86cnMH/1+UOoiXCjuQ1/9+x2bJrk83MqPIrRN:R56VKSN+7DXiuQmA1rkWQrn

    Score
    10/10
    agentteslacollectioncredential_accessdiscoverykeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla payload

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Drops file in Drivers directory

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks