Overview

overview

10

Static

static

3

SWIFTCOPYM...df.exe

windows7-x64

10

SWIFTCOPYM...df.exe

windows10-1703-x64

10

SWIFTCOPYM...df.exe

windows10-2004-x64

SWIFTCOPYM...df.exe

windows11-21h2-x64

7

Resubmissions

26-04-2024 11:35

240426-npzqdaff25 10

26-04-2024 11:28

240426-nkzvksfe25 7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    SWIFTCOPYMT1030000000_pdf.exe

  • Size

    411KB

  • Sample

    240426-npzqdaff25

  • MD5

    1048340bcfae30df032c161ac52f8f0e

  • SHA1

    8a3370d01a170626ef43202f5fe54e27372abec4

  • SHA256

    47a75ba2cc69f372c816fb61d079ebe6e3a81eeeb16e72726725b088a59f4e94

  • SHA512

    446b5293fe99200305cde7b4eaf17613b6c211ac46ce5ef38d383546c727de348f6f4733051674ce309a1ed401941985120b0f80f449239d3375f91a2de2704c

  • SSDEEP

    6144:TzZzycMVGAnF3KMrbYTE6ZudWKJJGGCaSninelmgkpmcqaw/cXraHvfMV:5V9QF3ihgxtdel+jw/ar4vm

Score
10/10
guloaderdownloaderpersistence

Malware Config

Targets

    • Target

      SWIFTCOPYMT1030000000_pdf.exe

    • Size

      411KB

    • MD5

      1048340bcfae30df032c161ac52f8f0e

    • SHA1

      8a3370d01a170626ef43202f5fe54e27372abec4

    • SHA256

      47a75ba2cc69f372c816fb61d079ebe6e3a81eeeb16e72726725b088a59f4e94

    • SHA512

      446b5293fe99200305cde7b4eaf17613b6c211ac46ce5ef38d383546c727de348f6f4733051674ce309a1ed401941985120b0f80f449239d3375f91a2de2704c

    • SSDEEP

      6144:TzZzycMVGAnF3KMrbYTE6ZudWKJJGGCaSninelmgkpmcqaw/cXraHvfMV:5V9QF3ihgxtdel+jw/ar4vm

    Score
    10/10
    guloaderdownloaderpersistence

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks