General
-
Target
047af98cc094d097fac765d062ecc31108bf8dd3d354cae228af27ded9844f47
-
Size
365KB
-
Sample
220521-d4zntabghj
-
MD5
602f65ff29a0f408c3b7ffa4d7324d17
-
SHA1
9b6d461c4ed33b0d67ba7dfa786c64bdfa06eada
-
SHA256
047af98cc094d097fac765d062ecc31108bf8dd3d354cae228af27ded9844f47
-
SHA512
94ec1b218bf6070e976afaa188f70fb4118b83c87914715254a0e75f9ff8992b92569fc807fb1445403a12571378461555a970e595a44540feb3e42cb714c36c
Static task
static1
Behavioral task
behavioral1
Sample
Swift copy.exe
Resource
win7-20220414-en
Malware Config
Extracted
Protocol: smtp- Host:
mail.roofmartlk.com - Port:
587 - Username:
admin@roofmartlk.com - Password:
ad@rm123
Targets
-
-
Target
Swift copy.exe
-
Size
556KB
-
MD5
349ae61feada50c4b8ff926d5585b39c
-
SHA1
64992674caf8b0e0c7f36f5bdcbd15429f28be8c
-
SHA256
3b7f5600ea7bfb0af990233fb399996066af428042afc0bdc1ed468acfee750f
-
SHA512
a1a584255c610b048d53b33ded8017f23e7335a6533ec40dedfd52debfc6451941d52cc8c1b06a8690bac4daf02ae8b66ad638ea71d846253ab8669a207d0ad6
Score10/10-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-