Analysis
-
max time kernel
150s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
01-09-2022 20:50
General
-
Target
swift.exe
-
Size
714KB
-
MD5
3512514972b6f3d79491a5ded8617788
-
SHA1
ba6548c7bf1227b05278dc2372a91347d7d100c3
-
SHA256
fdeafb2bf6cc3d798d2fa099f3619d096f17a57b89172020922c2a63f48d8aeb
-
SHA512
d638dc0bbd6b81053ed9cd58b7a276801748586a6039371f1a039399e0794a97758011e7bec08bfe7ec5ed25ad229e3d0273cae3b152d37133bb5f9a7b336e18
-
SSDEEP
12288:a6HZX/QV280RF75ehGBEnuaDDhvJun2zro8b4p00zyIZPzHC2:aUGM80RZ5j8ucFRqQr1b5IVHC2
Malware Config
Signatures
-
BluStealer
A Modular information stealer written in Visual Basic.
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies Internet Explorer settings 1 TTPs 4 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 19 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\swift.exe"C:\Users\Admin\AppData\Local\Temp\swift.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ZqJCnirrxQudpN.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZqJCnirrxQudpN" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8FDC.tmp"2⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Local\Temp\swift.exe"C:\Users\Admin\AppData\Local\Temp\swift.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe3⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57ef8515251b25f5184a9960143b86cf2
SHA1067048c36c479ddc426d16763da621fec01ddc3d
SHA2560aafb98a0c940d8fbc5754aee7f5ed3e250a8711365de78492ad36569f287ef5
SHA512d56420001d2e9fcd07252fe625d3ba65c90eb8e67039ac587b397e78192d6499104bbb6f25b23bbfbb7eedd6582e80812ccf6e177c94e4e5cd51f0a999bf1c3c
-
Filesize
104KB
-
Filesize
40KB
-
Filesize
72KB
-
Filesize
136KB
-
Filesize
624KB
-
Filesize
408KB
-
Filesize
1.6MB
-
Filesize
584KB
-
Filesize
736KB
-
Filesize
5.6MB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
120KB
-
Filesize
40KB
-
Filesize
304KB
-
Filesize
200KB
-
Filesize
120KB
-
Filesize
6.5MB
-
Filesize
104KB
-
Filesize
6.2MB
-
Filesize
600KB
-
Filesize
56KB
-
Filesize
216KB
-
Filesize
104KB
-
Filesize
32KB
-
Filesize
408KB