Analysis
-
max time kernel
19s -
max time network
59s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
28/03/2025, 13:20
Static task
static1
Behavioral task
behavioral1
Sample
E-Notification(Swift_Copy_000948736MTCB3827).exe
Resource
win7-20241010-en
General
-
Target
E-Notification(Swift_Copy_000948736MTCB3827).exe
-
Size
1.1MB
-
MD5
41d58997e17d288cdf4733313e23e81c
-
SHA1
285f17ba04fdbcca6f18f8b61e8c794aa4ccabae
-
SHA256
63c0e81868b4d1d5744152cb95cbe7bdaaa4bc2670037276de94d80e5b0539c5
-
SHA512
7e46c84f4a09862472efec7d030fced7e2f6be2a6b4d9f2363837f44db7bb67285e1b5951c8c8053d9aa73edf952c254ca5e1479ea46d6010290624972d84c5a
-
SSDEEP
24576:3u6J33O0c+JY5UZ+XC0kGso6FaUiuxpZPFa2bG6WY:Ru0c++OCvkGs9FaUiufu2OY
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juvenile.vbs juvenile.exe -
Executes dropped EXE 1 IoCs
pid Process 2176 juvenile.exe -
Loads dropped DLL 1 IoCs
pid Process 2608 E-Notification(Swift_Copy_000948736MTCB3827).exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x0007000000016c1a-12.dat autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2176 set thread context of 2148 2176 juvenile.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E-Notification(Swift_Copy_000948736MTCB3827).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language juvenile.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2148 RegSvcs.exe 2148 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2176 juvenile.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2148 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 2608 E-Notification(Swift_Copy_000948736MTCB3827).exe 2608 E-Notification(Swift_Copy_000948736MTCB3827).exe 2176 juvenile.exe 2176 juvenile.exe -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 2608 E-Notification(Swift_Copy_000948736MTCB3827).exe 2608 E-Notification(Swift_Copy_000948736MTCB3827).exe 2176 juvenile.exe 2176 juvenile.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2148 RegSvcs.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2608 wrote to memory of 2176 2608 E-Notification(Swift_Copy_000948736MTCB3827).exe 29 PID 2608 wrote to memory of 2176 2608 E-Notification(Swift_Copy_000948736MTCB3827).exe 29 PID 2608 wrote to memory of 2176 2608 E-Notification(Swift_Copy_000948736MTCB3827).exe 29 PID 2608 wrote to memory of 2176 2608 E-Notification(Swift_Copy_000948736MTCB3827).exe 29 PID 2176 wrote to memory of 2148 2176 juvenile.exe 30 PID 2176 wrote to memory of 2148 2176 juvenile.exe 30 PID 2176 wrote to memory of 2148 2176 juvenile.exe 30 PID 2176 wrote to memory of 2148 2176 juvenile.exe 30 PID 2176 wrote to memory of 2148 2176 juvenile.exe 30 PID 2176 wrote to memory of 2148 2176 juvenile.exe 30 PID 2176 wrote to memory of 2148 2176 juvenile.exe 30 PID 2176 wrote to memory of 2148 2176 juvenile.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\E-Notification(Swift_Copy_000948736MTCB3827).exe"C:\Users\Admin\AppData\Local\Temp\E-Notification(Swift_Copy_000948736MTCB3827).exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Users\Admin\AppData\Local\antiprimer\juvenile.exe"C:\Users\Admin\AppData\Local\Temp\E-Notification(Swift_Copy_000948736MTCB3827).exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\E-Notification(Swift_Copy_000948736MTCB3827).exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2148
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
264KB
MD59e0e7171e8c2d1c9f8f8a9efe8497350
SHA18d11766067a01bcf9e276614ad8fa21a1bcdabfe
SHA256ddaa0204187fdd8e94df3308753b3271578cf621bad6c1b6e0e3cb99e7c3762b
SHA512fe8ef7051790896841e8c62a011a7f8d09a10311b9876ea678915a189015cc8a48b45a2d6d955ab673e11f73441a20e8a69a91aa133a0b0a5293795de236aa53
-
Filesize
264KB
MD55ad9bc3334ba23ab536b67f3a8971ed7
SHA1915701590e041e4c2e60ad4cb6af3ac4dc9d0ef1
SHA25631f6898f0846391c72bd86d4983791af197ac2c191c9aa0f72e71f43981bed74
SHA512f94c6d14e4cdd3add7f8c13f1798db558092894fe09121e0072bba6d07bc472e88a23bc4dbf8636939c21e735eee1d55eb640f2ed502f9e52d5e60d87f56f4b0
-
Filesize
1.1MB
MD541d58997e17d288cdf4733313e23e81c
SHA1285f17ba04fdbcca6f18f8b61e8c794aa4ccabae
SHA25663c0e81868b4d1d5744152cb95cbe7bdaaa4bc2670037276de94d80e5b0539c5
SHA5127e46c84f4a09862472efec7d030fced7e2f6be2a6b4d9f2363837f44db7bb67285e1b5951c8c8053d9aa73edf952c254ca5e1479ea46d6010290624972d84c5a