General
-
Target
Swift copy.exe
-
Size
556KB
-
Sample
201109-v1bwebzdbj
-
MD5
349ae61feada50c4b8ff926d5585b39c
-
SHA1
64992674caf8b0e0c7f36f5bdcbd15429f28be8c
-
SHA256
3b7f5600ea7bfb0af990233fb399996066af428042afc0bdc1ed468acfee750f
-
SHA512
a1a584255c610b048d53b33ded8017f23e7335a6533ec40dedfd52debfc6451941d52cc8c1b06a8690bac4daf02ae8b66ad638ea71d846253ab8669a207d0ad6
Static task
static1
Behavioral task
behavioral1
Sample
Swift copy.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Swift copy.exe
Resource
win10v20201028
Malware Config
Extracted
Protocol: smtp- Host:
mail.roofmartlk.com - Port:
587 - Username:
admin@roofmartlk.com - Password:
ad@rm123
Targets
-
-
Target
Swift copy.exe
-
Size
556KB
-
MD5
349ae61feada50c4b8ff926d5585b39c
-
SHA1
64992674caf8b0e0c7f36f5bdcbd15429f28be8c
-
SHA256
3b7f5600ea7bfb0af990233fb399996066af428042afc0bdc1ed468acfee750f
-
SHA512
a1a584255c610b048d53b33ded8017f23e7335a6533ec40dedfd52debfc6451941d52cc8c1b06a8690bac4daf02ae8b66ad638ea71d846253ab8669a207d0ad6
Score10/10-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
Executes dropped EXE
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-