General
-
Target
SWIFT.7z
-
Size
309KB
-
Sample
230412-gm2cvsbh5x
-
MD5
1fc4fab06c72d3ed4032a7fef16e083a
-
SHA1
c895d5ba185a7da9d6795b587839bbc9c81a0921
-
SHA256
e9f7f56bc3de6401e73e911d5762780f50dc5b8739850a8cb43f980f87f14473
-
SHA512
8ecd660ebb3af924fffe0502886458ce821afb49d65fbe9a6b764e8be8ec5ecb020e0d985852d8eed43334867803f2bd72ca1299b7730a1188a6e08967878e8d
-
SSDEEP
6144:3liN13uhYgjYU87XiTTdEyoUlmLpvj2AfLgaIqeZFSQ/KgqJIZa1+ONe7Bj:3UN13ujjYXCTyP7Lpb2q0Uyv/Lqea/eJ
Static task
static1
Behavioral task
behavioral1
Sample
SWIFT.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
SWIFT.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
warzonerat
nightmare4666.ddns.net:3443
Targets
-
-
Target
SWIFT.exe
-
Size
847KB
-
MD5
24b58901a371adc86a36b7cc1189f2f6
-
SHA1
4421669b2b505db421e5ecb36119aee48ade108f
-
SHA256
a2231cdfce2e5ec3adcdb8535b1663da96d390e65c0f0c83c385a96d97790f0e
-
SHA512
8ba3252a9722e0e32a1bf2a6ff3ce51127a02df32bf56bed9e771aa7cde80853a0d1475bef10e3cbd2dd9592b3b1950fb3300536f37ebe9961e06140df7ef795
-
SSDEEP
12288:m8rLgxLKQfJJuXFI3MU+oVv6G57D1l0JttQCMO+U1xldIuau/T2SAzCk13h:RrLgO0023ZQK9qEO+U1xldqu/T2SADh
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
ModiLoader Second Stage
-
Warzone RAT payload
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-