Overview

overview

10

Static

static

1

swift.exe

windows7-x64

10

swift.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/02/2023, 11:58

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    swift.exe

  • Size

    293KB

  • MD5

    b63f00f4bbecd14217d4d9de887ff832

  • SHA1

    3848bd9a52433f94bb77b41e77620323b3faa0e0

  • SHA256

    3af2c0904f3729e0408f6479f4222d5fbcf695f2b5cd32e8737e8690661bb18b

  • SHA512

    73f703796d982e1f32264cd488add845b4c71cb7ab108be116d450c6e94d771f7b40254e4963e9c9190c42eb9b7865dc66ec334f96d9aa68a8d95b190baa66c9

  • SSDEEP

    6144:vYa6N0CqudwpubkE5cYtAqStGC3BjAsnlE7wbWs6tV1w2HIN58Zj:vYv1q0bLOYtAqSZBjxnlEMqs6v258F

Score
10/10
formbookk04sratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

k04s

Decoy

draanabellrojas.com

in03.one

kyraloves.co.uk

laluma.store

londoncell.com

kanurikibueadvocates.com

buyeasynow.net

escapefromtarkov-wiki.com

crewint.net

f-b.boats

beautyaidstudio.com

ashfieldconsultancy.uk

dlogsadood.com

ftgam.xyz

constantinopanama.com

yellowpocket.africa

konyil.com

easomobility.com

1135wickloecourt.com

indexb2b.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 2 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:2644
    • C:\Users\Admin\AppData\Local\Temp\swift.exe
      "C:\Users\Admin\AppData\Local\Temp\swift.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4816
      • C:\Users\Admin\AppData\Local\Temp\sdefhsh.exe
        "C:\Users\Admin\AppData\Local\Temp\sdefhsh.exe" C:\Users\Admin\AppData\Local\Temp\wztwanmwli.yu
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:4724
        • C:\Users\Admin\AppData\Local\Temp\sdefhsh.exe
          "C:\Users\Admin\AppData\Local\Temp\sdefhsh.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:2140
    • C:\Windows\SysWOW64\svchost.exe
      "C:\Windows\SysWOW64\svchost.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2516
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\sdefhsh.exe"
        3⤵
          PID:3848

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\sdefhsh.exe
            Filesize

            139KB

            MD5

            7eea6f906e8fce8ddcb55c4e4e418e60

            SHA1

            bc5ceca647a64879607af73226ab5d40d574ba7d

            SHA256

            f87a495d1f7e306fa8112d09a8f205248bbd13ba623a818489ba6768ab5f8ff2

            SHA512

            d02fd61052241b387914da35f0dd71561d4aa8d9553d028c41f2a4baded9e7b1d1202d09a9a5bf51bd527d0688b82a8136e5132b0980461ea32ca43ccf51aa9f

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\sdefhsh.exe
            Filesize

            139KB

            MD5

            7eea6f906e8fce8ddcb55c4e4e418e60

            SHA1

            bc5ceca647a64879607af73226ab5d40d574ba7d

            SHA256

            f87a495d1f7e306fa8112d09a8f205248bbd13ba623a818489ba6768ab5f8ff2

            SHA512

            d02fd61052241b387914da35f0dd71561d4aa8d9553d028c41f2a4baded9e7b1d1202d09a9a5bf51bd527d0688b82a8136e5132b0980461ea32ca43ccf51aa9f

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\sdefhsh.exe
            Filesize

            139KB

            MD5

            7eea6f906e8fce8ddcb55c4e4e418e60

            SHA1

            bc5ceca647a64879607af73226ab5d40d574ba7d

            SHA256

            f87a495d1f7e306fa8112d09a8f205248bbd13ba623a818489ba6768ab5f8ff2

            SHA512

            d02fd61052241b387914da35f0dd71561d4aa8d9553d028c41f2a4baded9e7b1d1202d09a9a5bf51bd527d0688b82a8136e5132b0980461ea32ca43ccf51aa9f

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\tbhtelloa.dw
            Filesize

            205KB

            MD5

            82ce46619073e2fc251d34c6868d3c30

            SHA1

            5a1ed7bfe3b48eabf3cb77824ed6a8ddd58e23da

            SHA256

            4b8bc066c0ad3af19527c4b4a76743289bf64c56819ad7352bac4bbddd1ebda8

            SHA512

            b7c21c300aacb5345b9de83e926e99f0dd717f1fdf20985275a990a4d19ade9f67b66ab5db3906dd3489494665315dfe78434581a0fe82d65a91051af0a06022

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\wztwanmwli.yu
            Filesize

            5KB

            MD5

            95772c0e1d7d7f818feeff2eab45810c

            SHA1

            a539963d4fafc94449e17bc711404e98ed560b47

            SHA256

            8182109c9e5fc41a04b1b7e62c6574f4435b07c3c1e83d785939da9af08c933e

            SHA512

            2821943d3de10ea6f0e8027273200c3835b13973b3700fa9b1532b3a051debb831984e32cba04219bcb8241e91eb5b400b4a354419f408b9dda9f0ac1a0f68bb

            Download Submit

          • memory/2140-142-0x0000000000F70000-0x0000000000F84000-memory.dmp

            Filesize

            80KB

            Download

          • memory/2140-139-0x0000000000BD0000-0x0000000000F1A000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/2140-140-0x0000000000F20000-0x0000000000F34000-memory.dmp

            Filesize

            80KB

            Download

          • memory/2516-147-0x0000000001500000-0x000000000184A000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/2516-146-0x00000000004E0000-0x00000000004EE000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2516-148-0x0000000000A60000-0x0000000000A8F000-memory.dmp

            Filesize

            188KB

            Download

          • memory/2516-149-0x0000000001400000-0x0000000001493000-memory.dmp

            Filesize

            588KB

            Download

          • memory/2516-151-0x0000000000A60000-0x0000000000A8F000-memory.dmp

            Filesize

            188KB

            Download

          • memory/2644-143-0x0000000002810000-0x0000000002945000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/2644-141-0x0000000008090000-0x000000000820C000-memory.dmp

            Filesize

            1.5MB

            Download

          • memory/2644-150-0x0000000008210000-0x0000000008318000-memory.dmp

            Filesize

            1.0MB

            Download

          • memory/2644-152-0x0000000008210000-0x0000000008318000-memory.dmp

            Filesize

            1.0MB

            Download