Overview

overview

10

Static

static

Swift copy.exe

windows7_x64

10

Swift copy.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Swift copy.exe

  • Size

    556KB

  • Sample

    201109-v1bwebzdbj

  • MD5

    349ae61feada50c4b8ff926d5585b39c

  • SHA1

    64992674caf8b0e0c7f36f5bdcbd15429f28be8c

  • SHA256

    3b7f5600ea7bfb0af990233fb399996066af428042afc0bdc1ed468acfee750f

  • SHA512

    a1a584255c610b048d53b33ded8017f23e7335a6533ec40dedfd52debfc6451941d52cc8c1b06a8690bac4daf02ae8b66ad638ea71d846253ab8669a207d0ad6

Score
10/10
coreentityrezer0

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.roofmartlk.com
  • Port:
    587
  • Username:
    admin@roofmartlk.com
  • Password:
    ad@rm123

Targets

    • Target

      Swift copy.exe

    • Size

      556KB

    • MD5

      349ae61feada50c4b8ff926d5585b39c

    • SHA1

      64992674caf8b0e0c7f36f5bdcbd15429f28be8c

    • SHA256

      3b7f5600ea7bfb0af990233fb399996066af428042afc0bdc1ed468acfee750f

    • SHA512

      a1a584255c610b048d53b33ded8017f23e7335a6533ec40dedfd52debfc6451941d52cc8c1b06a8690bac4daf02ae8b66ad638ea71d846253ab8669a207d0ad6

    Score
    10/10
    coreentityrezer0

    • CoreEntity .NET Packer

      A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

      coreentity

    • rezer0

      Detects ReZer0, a packer with multiple versions used in various campaigns.

      rezer0

    • Executes dropped EXE

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks