Malware Analysis Report

2025-05-05 21:47

Sample ID 240830-h3aqhstcnm
Target SWIFT COPIES.exe
SHA256 125feebfb2a0a40dabe47bc79cabfc93c575e7a670890ba2aab42f2743ea532f
Tags
vipkeylogger collection credential_access discovery keylogger stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

125feebfb2a0a40dabe47bc79cabfc93c575e7a670890ba2aab42f2743ea532f

Threat Level: Known bad

The file SWIFT COPIES.exe was found to be: Known bad.

Malicious Activity Summary

vipkeylogger collection credential_access discovery keylogger stealer

VIPKeylogger

Credentials from Password Stores: Credentials from Web Browsers

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

AutoIT Executable

Suspicious use of SetThreadContext

Browser Information Discovery

Unsigned PE

System Location Discovery: System Language Discovery

outlook_office_path

outlook_win_path

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-30 07:15

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-30 07:15

Reported

2024-08-30 07:17

Platform

win10v2004-20240802-en

Max time kernel

135s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SWIFT COPIES.exe"

Signatures

VIPKeylogger

stealer keylogger vipkeylogger

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4488 set thread context of 1100 N/A C:\Users\Admin\AppData\Local\Temp\SWIFT COPIES.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Browser Information Discovery

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SWIFT COPIES.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SWIFT COPIES.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SWIFT COPIES.exe

"C:\Users\Admin\AppData\Local\Temp\SWIFT COPIES.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\SWIFT COPIES.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 checkip.dyndns.org udp
JP 132.226.8.169:80 checkip.dyndns.org tcp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 172.67.177.134:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 169.8.226.132.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 134.177.67.172.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 mail.humatextiles.com udp
GB 149.255.62.163:587 mail.humatextiles.com tcp
US 8.8.8.8:53 163.62.255.149.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 34.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/4488-11-0x00000000009E0000-0x00000000009E4000-memory.dmp

memory/1100-12-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1100-13-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1100-16-0x00000000745FE000-0x00000000745FF000-memory.dmp

memory/1100-15-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1100-14-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1100-17-0x0000000005280000-0x00000000052DE000-memory.dmp

memory/1100-19-0x0000000005980000-0x0000000005F24000-memory.dmp

memory/1100-18-0x00000000745F0000-0x0000000074DA0000-memory.dmp

memory/1100-21-0x00000000745F0000-0x0000000074DA0000-memory.dmp

memory/1100-20-0x0000000005320000-0x000000000537C000-memory.dmp

memory/1100-22-0x00000000745F0000-0x0000000074DA0000-memory.dmp

memory/1100-52-0x0000000005320000-0x0000000005377000-memory.dmp

memory/1100-82-0x0000000005320000-0x0000000005377000-memory.dmp

memory/1100-80-0x0000000005320000-0x0000000005377000-memory.dmp

memory/1100-78-0x0000000005320000-0x0000000005377000-memory.dmp

memory/1100-76-0x0000000005320000-0x0000000005377000-memory.dmp

memory/1100-74-0x0000000005320000-0x0000000005377000-memory.dmp

memory/1100-72-0x0000000005320000-0x0000000005377000-memory.dmp

memory/1100-70-0x0000000005320000-0x0000000005377000-memory.dmp

memory/1100-68-0x0000000005320000-0x0000000005377000-memory.dmp

memory/1100-66-0x0000000005320000-0x0000000005377000-memory.dmp

memory/1100-64-0x0000000005320000-0x0000000005377000-memory.dmp

memory/1100-62-0x0000000005320000-0x0000000005377000-memory.dmp

memory/1100-60-0x0000000005320000-0x0000000005377000-memory.dmp

memory/1100-58-0x0000000005320000-0x0000000005377000-memory.dmp

memory/1100-56-0x0000000005320000-0x0000000005377000-memory.dmp

memory/1100-54-0x0000000005320000-0x0000000005377000-memory.dmp

memory/1100-50-0x0000000005320000-0x0000000005377000-memory.dmp

memory/1100-48-0x0000000005320000-0x0000000005377000-memory.dmp

memory/1100-46-0x0000000005320000-0x0000000005377000-memory.dmp

memory/1100-44-0x0000000005320000-0x0000000005377000-memory.dmp

memory/1100-42-0x0000000005320000-0x0000000005377000-memory.dmp

memory/1100-38-0x0000000005320000-0x0000000005377000-memory.dmp

memory/1100-36-0x0000000005320000-0x0000000005377000-memory.dmp

memory/1100-34-0x0000000005320000-0x0000000005377000-memory.dmp

memory/1100-32-0x0000000005320000-0x0000000005377000-memory.dmp

memory/1100-30-0x0000000005320000-0x0000000005377000-memory.dmp

memory/1100-26-0x0000000005320000-0x0000000005377000-memory.dmp

memory/1100-40-0x0000000005320000-0x0000000005377000-memory.dmp

memory/1100-28-0x0000000005320000-0x0000000005377000-memory.dmp

memory/1100-24-0x0000000005320000-0x0000000005377000-memory.dmp

memory/1100-23-0x0000000005320000-0x0000000005377000-memory.dmp

memory/1100-1113-0x0000000005470000-0x000000000550C000-memory.dmp

memory/1100-1114-0x00000000745F0000-0x0000000074DA0000-memory.dmp

memory/1100-1115-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1100-1116-0x00000000745FE000-0x00000000745FF000-memory.dmp

memory/1100-1117-0x00000000745F0000-0x0000000074DA0000-memory.dmp

memory/1100-1118-0x00000000745F0000-0x0000000074DA0000-memory.dmp

memory/1100-1119-0x00000000745F0000-0x0000000074DA0000-memory.dmp

memory/1100-1120-0x00000000067C0000-0x0000000006982000-memory.dmp

memory/1100-1121-0x0000000006640000-0x0000000006690000-memory.dmp

memory/1100-1122-0x0000000006EC0000-0x00000000073EC000-memory.dmp

memory/1100-1123-0x0000000006A30000-0x0000000006AC2000-memory.dmp

memory/1100-1124-0x0000000006990000-0x000000000699A000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-30 07:15

Reported

2024-08-30 07:17

Platform

win7-20240708-en

Max time kernel

68s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SWIFT COPIES.exe"

Signatures

VIPKeylogger

stealer keylogger vipkeylogger

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2640 set thread context of 2036 N/A C:\Users\Admin\AppData\Local\Temp\SWIFT COPIES.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Browser Information Discovery

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SWIFT COPIES.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SWIFT COPIES.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SWIFT COPIES.exe

"C:\Users\Admin\AppData\Local\Temp\SWIFT COPIES.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\SWIFT COPIES.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 checkip.dyndns.org udp
BR 132.226.247.73:80 checkip.dyndns.org tcp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 104.21.67.152:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 mail.humatextiles.com udp
GB 149.255.62.163:587 mail.humatextiles.com tcp

Files

memory/2640-11-0x0000000000130000-0x0000000000134000-memory.dmp

memory/2036-12-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2036-14-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2036-15-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2036-16-0x00000000749FE000-0x00000000749FF000-memory.dmp

memory/2036-17-0x0000000000230000-0x000000000028E000-memory.dmp

memory/2036-18-0x00000000749F0000-0x00000000750DE000-memory.dmp

memory/2036-20-0x0000000000C90000-0x0000000000CEC000-memory.dmp

memory/2036-21-0x00000000749F0000-0x00000000750DE000-memory.dmp

memory/2036-19-0x00000000749F0000-0x00000000750DE000-memory.dmp

memory/2036-47-0x0000000000C90000-0x0000000000CE7000-memory.dmp

memory/2036-81-0x0000000000C90000-0x0000000000CE7000-memory.dmp

memory/2036-79-0x0000000000C90000-0x0000000000CE7000-memory.dmp

memory/2036-77-0x0000000000C90000-0x0000000000CE7000-memory.dmp

memory/2036-73-0x0000000000C90000-0x0000000000CE7000-memory.dmp

memory/2036-71-0x0000000000C90000-0x0000000000CE7000-memory.dmp

memory/2036-69-0x0000000000C90000-0x0000000000CE7000-memory.dmp

memory/2036-67-0x0000000000C90000-0x0000000000CE7000-memory.dmp

memory/2036-65-0x0000000000C90000-0x0000000000CE7000-memory.dmp

memory/2036-63-0x0000000000C90000-0x0000000000CE7000-memory.dmp

memory/2036-61-0x0000000000C90000-0x0000000000CE7000-memory.dmp

memory/2036-59-0x0000000000C90000-0x0000000000CE7000-memory.dmp

memory/2036-57-0x0000000000C90000-0x0000000000CE7000-memory.dmp

memory/2036-55-0x0000000000C90000-0x0000000000CE7000-memory.dmp

memory/2036-53-0x0000000000C90000-0x0000000000CE7000-memory.dmp

memory/2036-51-0x0000000000C90000-0x0000000000CE7000-memory.dmp

memory/2036-45-0x0000000000C90000-0x0000000000CE7000-memory.dmp

memory/2036-43-0x0000000000C90000-0x0000000000CE7000-memory.dmp

memory/2036-41-0x0000000000C90000-0x0000000000CE7000-memory.dmp

memory/2036-39-0x0000000000C90000-0x0000000000CE7000-memory.dmp

memory/2036-37-0x0000000000C90000-0x0000000000CE7000-memory.dmp

memory/2036-35-0x0000000000C90000-0x0000000000CE7000-memory.dmp

memory/2036-33-0x0000000000C90000-0x0000000000CE7000-memory.dmp

memory/2036-31-0x0000000000C90000-0x0000000000CE7000-memory.dmp

memory/2036-29-0x0000000000C90000-0x0000000000CE7000-memory.dmp

memory/2036-27-0x0000000000C90000-0x0000000000CE7000-memory.dmp

memory/2036-25-0x0000000000C90000-0x0000000000CE7000-memory.dmp

memory/2036-75-0x0000000000C90000-0x0000000000CE7000-memory.dmp

memory/2036-23-0x0000000000C90000-0x0000000000CE7000-memory.dmp

memory/2036-22-0x0000000000C90000-0x0000000000CE7000-memory.dmp

memory/2036-49-0x0000000000C90000-0x0000000000CE7000-memory.dmp

memory/2036-1112-0x00000000749F0000-0x00000000750DE000-memory.dmp

memory/2036-1113-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2036-1114-0x00000000749FE000-0x00000000749FF000-memory.dmp

memory/2036-1115-0x00000000749F0000-0x00000000750DE000-memory.dmp

memory/2036-1116-0x00000000749F0000-0x00000000750DE000-memory.dmp

memory/2036-1117-0x00000000749F0000-0x00000000750DE000-memory.dmp

memory/2036-1118-0x00000000749F0000-0x00000000750DE000-memory.dmp