Overview

overview

10

Static

static

3

SWIFT COPY.exe

windows7-x64

10

SWIFT COPY.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    26-12-2024 19:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SWIFT COPY.exe

  • Size

    491KB

  • MD5

    1e83fcc22cccdab1b97887b371f4b8d4

  • SHA1

    1f2ae9417601ffea6c57643a7b56e78b50c8cb2d

  • SHA256

    ba2bf5801650d3b1efe26350bdca102f606dc7622ad4908c414789ef5c0f24b3

  • SHA512

    f5b2fa7f380d3deabc4fe346704f8689ba8b64962080aee843c346c44b98a059db743aacb301725b22c6a7dcc34c3f5810baadaed7e6e880e8bfaa7ac1fcb29d

  • SSDEEP

    6144:a8mQxbxKRcW/+sbJT4nwWQjqsV0KdYetrjstIoT5GWeuWiKASr:a8mqbx1C+6inwWQjLr2moToWaiW

Score
10/10
formbookrhkdefense_evasiondiscoveryratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

rhk

Decoy

decodemethod.com

mamakeyfim.xyz

3smokers.com

rentaspendirect.com

projectstasksjobs.com

animedesignetees.com

ursthegardennurse.com

sunandmoonshirts.com

encuentros-es.com

nevadahomebirth.com

xoxoplants.com

tentenos.com

anhpham.net

beyondtourney.com

surfficient.com

wannahavedays.online

hmyhvgxax.icu

holisticskincarecompany.com

juggfuckers.com

ixgrmz.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook family
    formbook
  • Formbook payload 1 IoCs
    rat
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

    When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

    defense_evasion
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 33 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1336
    • C:\Users\Admin\AppData\Local\Temp\SWIFT COPY.exe
      "C:\Users\Admin\AppData\Local\Temp\SWIFT COPY.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2076
      • C:\Users\Admin\AppData\Local\Temp\SWIFT COPY.exe
        "C:/Users/Admin/AppData/Local/Temp/SWIFT COPY.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2720
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/SWIFT COPY.exe" "%temp%\FolderN\name.exe" /Y
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2872
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2928
        • C:\Windows\SysWOW64\reg.exe
          reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3028
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
        3⤵
        • Subvert Trust Controls: Mark-of-the-Web Bypass
        • System Location Discovery: System Language Discovery
        • NTFS ADS
        PID:2932
    • C:\Windows\SysWOW64\autoconv.exe
      "C:\Windows\SysWOW64\autoconv.exe"
      2⤵
        PID:3064
      • C:\Windows\SysWOW64\colorcpl.exe
        "C:\Windows\SysWOW64\colorcpl.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2812
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Admin\AppData\Local\Temp\SWIFT COPY.exe"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:3032

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Users\Admin\AppData\Local\Temp\FolderN\name.exe
      Filesize

      491KB

      MD5

      1e83fcc22cccdab1b97887b371f4b8d4

      SHA1

      1f2ae9417601ffea6c57643a7b56e78b50c8cb2d

      SHA256

      ba2bf5801650d3b1efe26350bdca102f606dc7622ad4908c414789ef5c0f24b3

      SHA512

      f5b2fa7f380d3deabc4fe346704f8689ba8b64962080aee843c346c44b98a059db743aacb301725b22c6a7dcc34c3f5810baadaed7e6e880e8bfaa7ac1fcb29d

      Download Submit

    • memory/2076-1-0x00000000002A0000-0x0000000000320000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2076-2-0x00000000744E0000-0x0000000074BCE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2076-21-0x00000000744E0000-0x0000000074BCE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2076-20-0x00000000744E0000-0x0000000074BCE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2076-19-0x00000000744EE000-0x00000000744EF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2076-0-0x00000000744EE000-0x00000000744EF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2720-9-0x00000000000B0000-0x00000000000DE000-memory.dmp

      Filesize

      184KB

      Download

    • memory/2720-14-0x0000000000930000-0x0000000000C33000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/2720-4-0x00000000000B0000-0x00000000000DE000-memory.dmp

      Filesize

      184KB

      Download

    • memory/2720-6-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2720-5-0x00000000000B0000-0x00000000000DE000-memory.dmp

      Filesize

      184KB

      Download

    • memory/2812-18-0x00000000004E0000-0x00000000004F8000-memory.dmp

      Filesize

      96KB

      Download