Overview

overview

10

Static

static

Swift copy.exe

windows7_x64

10

Swift copy.exe

windows10-2004_x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    047af98cc094d097fac765d062ecc31108bf8dd3d354cae228af27ded9844f47

  • Size

    365KB

  • Sample

    220521-d4zntabghj

  • MD5

    602f65ff29a0f408c3b7ffa4d7324d17

  • SHA1

    9b6d461c4ed33b0d67ba7dfa786c64bdfa06eada

  • SHA256

    047af98cc094d097fac765d062ecc31108bf8dd3d354cae228af27ded9844f47

  • SHA512

    94ec1b218bf6070e976afaa188f70fb4118b83c87914715254a0e75f9ff8992b92569fc807fb1445403a12571378461555a970e595a44540feb3e42cb714c36c

Score
10/10
coreentityrezer0spywarestealer

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.roofmartlk.com
  • Port:
    587
  • Username:
    admin@roofmartlk.com
  • Password:
    ad@rm123

Targets

    • Target

      Swift copy.exe

    • Size

      556KB

    • MD5

      349ae61feada50c4b8ff926d5585b39c

    • SHA1

      64992674caf8b0e0c7f36f5bdcbd15429f28be8c

    • SHA256

      3b7f5600ea7bfb0af990233fb399996066af428042afc0bdc1ed468acfee750f

    • SHA512

      a1a584255c610b048d53b33ded8017f23e7335a6533ec40dedfd52debfc6451941d52cc8c1b06a8690bac4daf02ae8b66ad638ea71d846253ab8669a207d0ad6

    Score
    10/10
    coreentityrezer0spywarestealer

    • CoreEntity .NET Packer

      A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

      coreentity

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

      rezer0

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks