Overview

overview

10

Static

static

1

Swift Copy.exe

windows7-x64

10

Swift Copy.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    22-03-2023 14:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Swift Copy.exe

  • Size

    477KB

  • MD5

    a4aaddb2062a280e675fefce52951ec2

  • SHA1

    c5ee44c93aeda42a644135a859e714618b81207e

  • SHA256

    06781e8b2a7faff43c97cbcbe19a19b2085f66ac023747ac69c05866c96d855f

  • SHA512

    21c01ad6f9d0d8ce7695876c2f2cf9b6147360afc2dcaaaa19260944a751bad46b567fcdefbc148818d196bc8f90b643b4c13df3ef7ca5cb05a0d55b55f96041

  • SSDEEP

    12288:AdssEQWLUed3qIj/m/GD/i58FvZ6V8ffx1Ry85dDd:Aa3qK/coy8W8ffxzy8/

Score
10/10
formbookarn2ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

arn2

Decoy

girlzongrass.com

starphotostudio.co.uk

bugsbunnyexpress.com

kimeepayne.com

gtcoplc.africa

generativeseller.com

chain-bnb.com

diamante24.com

fine-and-good.com

vexlotex.africa

legendary-royale.net

draandreaprimera.com

geteit.com

epremiuminsurancce.com

adn-care.com

kazakhstanfootball.com

bizinares.com

folug.club

fuda808.com

internationalkia.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 4 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1244
    • C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe
      "C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2020
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"
        3⤵
          PID:1960
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:1780
      • C:\Windows\SysWOW64\ipconfig.exe
        "C:\Windows\SysWOW64\ipconfig.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Gathers network information
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:964
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
          3⤵
            PID:468

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/964-67-0x0000000000090000-0x00000000000BF000-memory.dmp
        Filesize

        188KB

        Download
      • memory/964-63-0x0000000000040000-0x000000000004A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/964-64-0x0000000000040000-0x000000000004A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/964-70-0x0000000001D00000-0x0000000001D93000-memory.dmp
        Filesize

        588KB

        Download
      • memory/964-65-0x0000000000090000-0x00000000000BF000-memory.dmp
        Filesize

        188KB

        Download
      • memory/964-66-0x0000000001FD0000-0x00000000022D3000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/1244-62-0x0000000006D10000-0x0000000006EA1000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/1244-74-0x0000000004810000-0x00000000048F9000-memory.dmp
        Filesize

        932KB

        Download
      • memory/1244-72-0x0000000004810000-0x00000000048F9000-memory.dmp
        Filesize

        932KB

        Download
      • memory/1244-71-0x0000000004810000-0x00000000048F9000-memory.dmp
        Filesize

        932KB

        Download
      • memory/1780-60-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/1780-59-0x00000000008B0000-0x0000000000BB3000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/1780-61-0x00000000002B0000-0x00000000002C4000-memory.dmp
        Filesize

        80KB

        Download
      • memory/1780-57-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/2020-54-0x0000000001000000-0x000000000107C000-memory.dmp
        Filesize

        496KB

        Download
      • memory/2020-56-0x000000001B490000-0x000000001B510000-memory.dmp
        Filesize

        512KB

        Download
      • memory/2020-55-0x0000000000490000-0x0000000000504000-memory.dmp
        Filesize

        464KB

        Download