General
-
Target
ea02015ebbadefdbc7d4e33ab4982ef6db3cfe2ed42f19e8bef70358e219ec2f
-
Size
376KB
-
Sample
220521-bmgesscbb9
-
MD5
119ede5d5ee880f593d56a1d1ed1c1db
-
SHA1
be0b892fded59755957b6dcf70ac7c4f87dd7906
-
SHA256
ea02015ebbadefdbc7d4e33ab4982ef6db3cfe2ed42f19e8bef70358e219ec2f
-
SHA512
9c8b6e3a57fbdebf5d023a624bb996eb9cd3649c4f797b4b50e114618fa2eb1dc687ce23e6c123e55cb1b866e986ff830cc484d8e3a92b53fed95f4d6e3fba14
Static task
static1
Behavioral task
behavioral1
Sample
SWIFT COPY.exe
Resource
win7-20220414-en
Malware Config
Extracted
formbook
3.9
ch62
priceground.com
protmaxvigilancia.com
allyboom.com
calimerkids.com
behproject.com
everxs.com
peertopeervaluetrading.com
asosdiscountscode.com
supersoloblitz.com
allindiaexpo.com
mountainpunks.com
lawberrys.com
myinsuranceclaimconsultants.com
autoberles.center
xn--circuitomioulla-7qb.com
beheartratemonitoringkey.live
bigcitypillows.com
tresriosresortoffers.com
ratmanrodentremoval.com
fujiaseed.com
140117.com
babyandkidexpo.com
bolduan-electronic.com
unreadytowear.com
portsaid.today
5oo50042.com
qiangbaoshou.net
hoptovine.com
coastalchiropracticcoverage.com
abeabogado.com
dancourvilleclhev.com
opebet915.com
justin-freeman.com
foodpursuits.com
pinjuanbao.com
900gamecz.com
andelmanconsulting.com
milandicic.com
airexpertservices.com
leaginac.com
strongzhen.com
gaikokujin-jinzai.com
runtu.ltd
cruisia.com
violaperitivo.com
amulyakandikonda.com
shorelaketampa.com
evyandella.com
robertodammora.info
micro-fut.com
caminhosdoacre.com
mikifamily.com
wellsassistancefargoalert.com
coyo.ltd
aldeiaterra.com
wishfuldreamnewportnews.com
maker-cnc.com
ruralvia2acceso.net
freetraffic2updatesall.win
pub-sora.com
vizcaps.com
yychsm.com
ayudameperu.com
smyeocut.win
mansiobok3.info
Targets
-
-
Target
SWIFT COPY.exe
-
Size
581KB
-
MD5
da742ece94ba3ede7902f700f0f09954
-
SHA1
b9983af1eb41fee6a0bbefc06e0e263ebf1291ba
-
SHA256
28ddf0fa7f44508ea2b7c6f2de45496e5a031aa84d095c0b8c14732173073fc7
-
SHA512
95d4e5c639878043d89c8f26d4e876bb3d83728e757e61a9a9f96d0a13dc936dcd28072083552b78e382241793af63cfbbabdaf1367cddd21b3c1413bceabc3a
-
Formbook Payload
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-