Overview

overview

8

Static

static

Bank Swift.xlsx

windows7_x64

8

Bank Swift.xlsx

windows10_x64

1

Sharing

Copy URL Twitter E-mail

General

  • Target

    Bank Swift.xlsx

  • Size

    510KB

  • Sample

    200716-lqccfcc3g2

  • MD5

    85c3a967a99d6c181ec434836f6731de

  • SHA1

    b2a176e57a8de0bd7477c229e3394a08b84c582c

  • SHA256

    8f8f5bf3c44375eb2f9fd15dbe8c470f0bd71096a3204e1a6dea42d054d52090

  • SHA512

    622aa5283c50e024497286579e9e3914716536a68fb55bea75a9cd3c0d698330a0639ec8bef3856243b9a0f2e71d8734c0443eacdfb4a854e9126fd0663c8216

Score
8/10
persistencespyware

Malware Config

Targets

    • Target

      Bank Swift.xlsx

    • Size

      510KB

    • MD5

      85c3a967a99d6c181ec434836f6731de

    • SHA1

      b2a176e57a8de0bd7477c229e3394a08b84c582c

    • SHA256

      8f8f5bf3c44375eb2f9fd15dbe8c470f0bd71096a3204e1a6dea42d054d52090

    • SHA512

      622aa5283c50e024497286579e9e3914716536a68fb55bea75a9cd3c0d698330a0639ec8bef3856243b9a0f2e71d8734c0443eacdfb4a854e9126fd0663c8216

    Score
    8/10
    persistencespyware

    • Blacklisted process makes network request

    • Executes dropped EXE

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spyware

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spyware

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks