Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12-11-2024 01:52
Static task
static1
Behavioral task
behavioral1
Sample
SWIFT BANK ПЛАТЕЖНОЕ УКАЗАНИЕ.exe
Resource
win7-20240903-en
General
-
Target
SWIFT BANK ПЛАТЕЖНОЕ УКАЗАНИЕ.exe
-
Size
1.1MB
-
MD5
f6be5052e55b977c9705e286a47bfb3e
-
SHA1
bdc3f755192960ce6c320292a7a23f150bf39396
-
SHA256
802e9618028eba6547f5ecd5c003dbfdd0a663c11aa9a438b843767930f5fe39
-
SHA512
5b65b43d0aa4370e4f3c8e5462907527a112885d37bfc835fd0f4e440a8debc6ef061a5f8965cbc5c5734a72bb3512726e45daaf0d57d6fa4a171895925f0b33
-
SSDEEP
24576:uRmJkcoQricOIQxiZY1iaCZz6HcYkoEQk+3LDjoofB1:7JZoQrbTFZY1iaCsHvkqfDjoQn
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://backup.smartape.ru - Port:
21 - Username:
user894494 - Password:
UPQxNeF0GUq5
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
SWIFT BANK ПЛАТЕЖНОЕ УКАЗАНИЕ.exedescription pid Process procid_target PID 352 set thread context of 2440 352 SWIFT BANK ПЛАТЕЖНОЕ УКАЗАНИЕ.exe 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
SWIFT BANK ПЛАТЕЖНОЕ УКАЗАНИЕ.exeRegSvcs.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SWIFT BANK ПЛАТЕЖНОЕ УКАЗАНИЕ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.exepid Process 2440 RegSvcs.exe 2440 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
SWIFT BANK ПЛАТЕЖНОЕ УКАЗАНИЕ.exepid Process 352 SWIFT BANK ПЛАТЕЖНОЕ УКАЗАНИЕ.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid Process Token: SeDebugPrivilege 2440 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
SWIFT BANK ПЛАТЕЖНОЕ УКАЗАНИЕ.exepid Process 352 SWIFT BANK ПЛАТЕЖНОЕ УКАЗАНИЕ.exe 352 SWIFT BANK ПЛАТЕЖНОЕ УКАЗАНИЕ.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
SWIFT BANK ПЛАТЕЖНОЕ УКАЗАНИЕ.exepid Process 352 SWIFT BANK ПЛАТЕЖНОЕ УКАЗАНИЕ.exe 352 SWIFT BANK ПЛАТЕЖНОЕ УКАЗАНИЕ.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
SWIFT BANK ПЛАТЕЖНОЕ УКАЗАНИЕ.exedescription pid Process procid_target PID 352 wrote to memory of 2440 352 SWIFT BANK ПЛАТЕЖНОЕ УКАЗАНИЕ.exe 30 PID 352 wrote to memory of 2440 352 SWIFT BANK ПЛАТЕЖНОЕ УКАЗАНИЕ.exe 30 PID 352 wrote to memory of 2440 352 SWIFT BANK ПЛАТЕЖНОЕ УКАЗАНИЕ.exe 30 PID 352 wrote to memory of 2440 352 SWIFT BANK ПЛАТЕЖНОЕ УКАЗАНИЕ.exe 30 PID 352 wrote to memory of 2440 352 SWIFT BANK ПЛАТЕЖНОЕ УКАЗАНИЕ.exe 30 PID 352 wrote to memory of 2440 352 SWIFT BANK ПЛАТЕЖНОЕ УКАЗАНИЕ.exe 30 PID 352 wrote to memory of 2440 352 SWIFT BANK ПЛАТЕЖНОЕ УКАЗАНИЕ.exe 30 PID 352 wrote to memory of 2440 352 SWIFT BANK ПЛАТЕЖНОЕ УКАЗАНИЕ.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\SWIFT BANK ПЛАТЕЖНОЕ УКАЗАНИЕ.exe"C:\Users\Admin\AppData\Local\Temp\SWIFT BANK ПЛАТЕЖНОЕ УКАЗАНИЕ.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:352 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\SWIFT BANK ПЛАТЕЖНОЕ УКАЗАНИЕ.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2440
-