Overview

overview

10

Static

static

SWIFTY COPY.exe

windows7_x64

10

SWIFTY COPY.exe

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    12s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    04-12-2020 09:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SWIFTY COPY.exe

  • Size

    745KB

  • MD5

    b848cc9c799857387b279d773e4250df

  • SHA1

    13c7f4df965698c1a8b10ced41ddec295f8634bb

  • SHA256

    b6247c787ec362f884203a581049a638a59a9db8dc6bac8cb88869a45704dfc9

  • SHA512

    48bfc3059a52bbe2668497b68747717e97f493aac40cd7900da337c72ed2ccb7e096b6e776bfcd8c79b3f1a7049d4bf4a3cdf5475c4395412766cefc105ee7bb

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

C2

http://www.alsagranit.info/rhk/

Decoy

luuthingoctrinam247.online

upcas.info

cmoswipefiles.com

rene-jew.com

kiddoslunchboxes.com

52wanlol.com

konstela.com

dajiangzhibo11.com

huibaoyuanhty.com

boudot.one

myinfinitycollectionagency.com

letsgetsunny.com

gruppolarta.com

factoka.com

artistspal.com

gewnrecaalouine.com

etiquetadorada.com

brememshop.com

kangyiyan.com

testcitestdpp03.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 3 IoCs
    rat
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1272
    • C:\Users\Admin\AppData\Local\Temp\SWIFTY COPY.exe
      "C:\Users\Admin\AppData\Local\Temp\SWIFTY COPY.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1640
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KpYsLCogRWR" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD604.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:1092
      • C:\Users\Admin\AppData\Local\Temp\SWIFTY COPY.exe
        "{path}"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1120
    • C:\Windows\SysWOW64\raserver.exe
      "C:\Windows\SysWOW64\raserver.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:636
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\SWIFTY COPY.exe"
        3⤵
        • Deletes itself
        PID:812

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpD604.tmp
    MD5

    eeacd9381e06a75083209210358324bd

    SHA1

    9c679e931e69b6818abd91885b3f9b6c7f88f8d1

    SHA256

    5046fe22c137db9b3e6e2f1f407b024373df0cc510e14886f62fc092bdbfff7c

    SHA512

    786e0a7511efbac69777cfa53fab668bb9280b51cc6ca29691f46ab92ea3074d924f18b5b935c104bd557721cce79f8b1675559d63a932938c1b6d30b845c9ab

    Download Submit
  • memory/636-11-0x0000000000000000-mapping.dmp
    Download
  • memory/636-12-0x0000000000E90000-0x0000000000EAC000-memory.dmp
    Filesize

    112KB

    Download
  • memory/636-14-0x0000000002F90000-0x0000000003051000-memory.dmp
    Filesize

    772KB

    Download
  • memory/812-13-0x0000000000000000-mapping.dmp
    Download
  • memory/1092-7-0x0000000000000000-mapping.dmp
    Download
  • memory/1120-9-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/1120-10-0x000000000041EB80-mapping.dmp
    Download
  • memory/1640-2-0x00000000745C0000-0x0000000074CAE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1640-3-0x00000000010B0000-0x00000000010B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1640-5-0x0000000000420000-0x000000000042E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/1640-6-0x00000000006E0000-0x0000000000740000-memory.dmp
    Filesize

    384KB

    Download