Edit tour

Windows Analysis Report
Bank Swift Payment.bat.exe

Overview

General Information

Sample name:	Bank Swift Payment.bat.exe
Analysis ID:	1637287
MD5:	6157bd9e1f8f34619e222262a71b79cd
SHA1:	31818fbc3eec3c641f28bbcf94c59dea97f1cacf
SHA256:	3c7f61519b46af007450df7ef19b49df3a8b60d0b7c4fd82112068994262be6e
Tags:	exeuser-James_inthe_box
Infos:

Detection

MSIL Logger, MassLogger RAT

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected MSIL Logger

Yara detected MassLogger RAT

Yara detected Telegram RAT

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Adds a directory exclusion to Windows Defender

Contains functionality to log keystrokes (.Net Source)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses insecure TLS / SSL version for HTTPS connection

Yara signature match

Classification

Process Tree

System is w10x64

Bank Swift Payment.bat.exe (PID: 6932 cmdline: "C:\Users\user\Desktop\Bank Swift Payment.bat.exe" MD5: 6157BD9E1F8F34619E222262A71B79CD)

powershell.exe (PID: 5984 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bank Swift Payment.bat.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Bank Swift Payment.bat.exe (PID: 6828 cmdline: "C:\Users\user\Desktop\Bank Swift Payment.bat.exe" MD5: 6157BD9E1F8F34619E222262A71B79CD)

Bank Swift Payment.bat.exe (PID: 7160 cmdline: "C:\Users\user\Desktop\Bank Swift Payment.bat.exe" MD5: 6157BD9E1F8F34619E222262A71B79CD)

cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "SMTP", "From": "admin@bouttases.fr", "Password": "NiconPay$", "Server": "mail.bouttases.fr", "To": "collect@bouttases.fr", "Port": 587}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000002.2450189057.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000006.00000002.2450189057.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000006.00000002.2450189057.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000006.00000002.2450189057.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf893:$a1: get_encryptedPassword 0xfbbb:$a2: get_encryptedUsername 0xf60e:$a3: get_timePasswordChanged 0xf72f:$a4: get_passwordField 0xf8a9:$a5: set_encryptedPassword 0x11210:$a7: get_logins 0x10ec1:$a8: GetOutlookPasswords 0x10cb3:$a9: StartKeylogger 0x11160:$a10: KeyLoggerEventArgs 0x10d10:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.1228970125.000000000374C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000000.00000002.1228970125.000000000374C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000000.00000002.1228970125.000000000374C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1228970125.000000000374C000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x10a13:$a1: get_encryptedPassword 0x28033:$a1: get_encryptedPassword 0x3f453:$a1: get_encryptedPassword 0x10d3b:$a2: get_encryptedUsername 0x2835b:$a2: get_encryptedUsername 0x3f77b:$a2: get_encryptedUsername 0x1078e:$a3: get_timePasswordChanged 0x27dae:$a3: get_timePasswordChanged 0x3f1ce:$a3: get_timePasswordChanged 0x108af:$a4: get_passwordField 0x27ecf:$a4: get_passwordField 0x3f2ef:$a4: get_passwordField 0x10a29:$a5: set_encryptedPassword 0x28049:$a5: set_encryptedPassword 0x3f469:$a5: set_encryptedPassword 0x12390:$a7: get_logins 0x299b0:$a7: get_logins 0x40dd0:$a7: get_logins 0x12041:$a8: GetOutlookPasswords 0x29661:$a8: GetOutlookPasswords 0x40a81:$a8: GetOutlookPasswords
Process Memory Space: Bank Swift Payment.bat.exe PID: 6932	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: Bank Swift Payment.bat.exe PID: 6932	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Bank Swift Payment.bat.exe PID: 6932	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
Process Memory Space: Bank Swift Payment.bat.exe PID: 6932	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: Bank Swift Payment.bat.exe PID: 6932	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3377:$a1: get_encryptedPassword 0x3690:$a2: get_encryptedUsername 0x3106:$a3: get_timePasswordChanged 0x3227:$a4: get_passwordField 0x338d:$a5: set_encryptedPassword 0x4c9b:$a7: get_logins 0x494c:$a8: GetOutlookPasswords 0x473e:$a9: StartKeylogger 0x4beb:$a10: KeyLoggerEventArgs 0x479b:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: Bank Swift Payment.bat.exe PID: 7160	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: Bank Swift Payment.bat.exe PID: 7160	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
Process Memory Space: Bank Swift Payment.bat.exe PID: 7160	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: Bank Swift Payment.bat.exe PID: 7160	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x4ea63:$a1: get_encryptedPassword 0x4ed7c:$a2: get_encryptedUsername 0x4e7f2:$a3: get_timePasswordChanged 0x4e913:$a4: get_passwordField 0x4ea79:$a5: set_encryptedPassword 0x50387:$a7: get_logins 0x50038:$a8: GetOutlookPasswords 0x4fe2a:$a9: StartKeylogger 0x502d7:$a10: KeyLoggerEventArgs 0x4fe87:$a11: KeyLoggerEventArgsEventHandler
Click to see the 12 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Bank Swift Payment.bat.exe.37645a0.4.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.Bank Swift Payment.bat.exe.37645a0.4.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
0.2.Bank Swift Payment.bat.exe.37645a0.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Bank Swift Payment.bat.exe.37645a0.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xdc93:$a1: get_encryptedPassword 0xdfbb:$a2: get_encryptedUsername 0xda0e:$a3: get_timePasswordChanged 0xdb2f:$a4: get_passwordField 0xdca9:$a5: set_encryptedPassword 0xf610:$a7: get_logins 0xf2c1:$a8: GetOutlookPasswords 0xf0b3:$a9: StartKeylogger 0xf560:$a10: KeyLoggerEventArgs 0xf110:$a11: KeyLoggerEventArgsEventHandler
0.2.Bank Swift Payment.bat.exe.37645a0.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x12ee3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x123e1:$a3: \Google\Chrome\User Data\Default\Login Data 0x126ef:$a4: \Orbitum\User Data\Default\Login Data 0x134e7:$a5: \Kometa\User Data\Default\Login Data
6.2.Bank Swift Payment.bat.exe.400000.0.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
6.2.Bank Swift Payment.bat.exe.400000.0.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
6.2.Bank Swift Payment.bat.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
6.2.Bank Swift Payment.bat.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xfa93:$a1: get_encryptedPassword 0xfdbb:$a2: get_encryptedUsername 0xf80e:$a3: get_timePasswordChanged 0xf92f:$a4: get_passwordField 0xfaa9:$a5: set_encryptedPassword 0x11410:$a7: get_logins 0x110c1:$a8: GetOutlookPasswords 0x10eb3:$a9: StartKeylogger 0x11360:$a10: KeyLoggerEventArgs 0x10f10:$a11: KeyLoggerEventArgsEventHandler
6.2.Bank Swift Payment.bat.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x14ce3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x141e1:$a3: \Google\Chrome\User Data\Default\Login Data 0x144ef:$a4: \Orbitum\User Data\Default\Login Data 0x152e7:$a5: \Kometa\User Data\Default\Login Data
0.2.Bank Swift Payment.bat.exe.374cf80.3.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.Bank Swift Payment.bat.exe.374cf80.3.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
0.2.Bank Swift Payment.bat.exe.374cf80.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Bank Swift Payment.bat.exe.374cf80.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xdc93:$a1: get_encryptedPassword 0xdfbb:$a2: get_encryptedUsername 0xda0e:$a3: get_timePasswordChanged 0xdb2f:$a4: get_passwordField 0xdca9:$a5: set_encryptedPassword 0xf610:$a7: get_logins 0xf2c1:$a8: GetOutlookPasswords 0xf0b3:$a9: StartKeylogger 0xf560:$a10: KeyLoggerEventArgs 0xf110:$a11: KeyLoggerEventArgsEventHandler
0.2.Bank Swift Payment.bat.exe.374cf80.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x12ee3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x123e1:$a3: \Google\Chrome\User Data\Default\Login Data 0x126ef:$a4: \Orbitum\User Data\Default\Login Data 0x134e7:$a5: \Kometa\User Data\Default\Login Data
0.2.Bank Swift Payment.bat.exe.37645a0.4.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.Bank Swift Payment.bat.exe.37645a0.4.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
0.2.Bank Swift Payment.bat.exe.37645a0.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Bank Swift Payment.bat.exe.37645a0.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xfa93:$a1: get_encryptedPassword 0x26eb3:$a1: get_encryptedPassword 0xfdbb:$a2: get_encryptedUsername 0x271db:$a2: get_encryptedUsername 0xf80e:$a3: get_timePasswordChanged 0x26c2e:$a3: get_timePasswordChanged 0xf92f:$a4: get_passwordField 0x26d4f:$a4: get_passwordField 0xfaa9:$a5: set_encryptedPassword 0x26ec9:$a5: set_encryptedPassword 0x11410:$a7: get_logins 0x28830:$a7: get_logins 0x110c1:$a8: GetOutlookPasswords 0x284e1:$a8: GetOutlookPasswords 0x10eb3:$a9: StartKeylogger 0x282d3:$a9: StartKeylogger 0x11360:$a10: KeyLoggerEventArgs 0x28780:$a10: KeyLoggerEventArgs 0x10f10:$a11: KeyLoggerEventArgsEventHandler 0x28330:$a11: KeyLoggerEventArgsEventHandler
0.2.Bank Swift Payment.bat.exe.374cf80.3.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.Bank Swift Payment.bat.exe.374cf80.3.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
0.2.Bank Swift Payment.bat.exe.374cf80.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Bank Swift Payment.bat.exe.374cf80.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xfa93:$a1: get_encryptedPassword 0x270b3:$a1: get_encryptedPassword 0x3e4d3:$a1: get_encryptedPassword 0xfdbb:$a2: get_encryptedUsername 0x273db:$a2: get_encryptedUsername 0x3e7fb:$a2: get_encryptedUsername 0xf80e:$a3: get_timePasswordChanged 0x26e2e:$a3: get_timePasswordChanged 0x3e24e:$a3: get_timePasswordChanged 0xf92f:$a4: get_passwordField 0x26f4f:$a4: get_passwordField 0x3e36f:$a4: get_passwordField 0xfaa9:$a5: set_encryptedPassword 0x270c9:$a5: set_encryptedPassword 0x3e4e9:$a5: set_encryptedPassword 0x11410:$a7: get_logins 0x28a30:$a7: get_logins 0x3fe50:$a7: get_logins 0x110c1:$a8: GetOutlookPasswords 0x286e1:$a8: GetOutlookPasswords 0x3fb01:$a8: GetOutlookPasswords
Click to see the 18 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bank Swift Payment.bat.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bank Swift Payment.bat.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Bank Swift Payment.bat.exe", ParentImage: C:\Users\user\Desktop\Bank Swift Payment.bat.exe, ParentProcessId: 6932, ParentProcessName: Bank Swift Payment.bat.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bank Swift Payment.bat.exe", ProcessId: 5984, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bank Swift Payment.bat.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bank Swift Payment.bat.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Bank Swift Payment.bat.exe", ParentImage: C:\Users\user\Desktop\Bank Swift Payment.bat.exe, ParentProcessId: 6932, ParentProcessName: Bank Swift Payment.bat.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bank Swift Payment.bat.exe", ProcessId: 5984, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-13T13:49:07.986612+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49691	193.122.130.0	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Bank Swift Payment.bat.exe

Avira: detected

Found malware configuration

Source: 6.2.Bank Swift Payment.bat.exe.400000.0.unpack

Malware Configuration Extractor: MassLogger {"EXfil Mode": "SMTP", "From": "admin@bouttases.fr", "Password": "NiconPay$", "Server": "mail.bouttases.fr", "To": "collect@bouttases.fr", "Port": 587}

Multi AV Scanner detection for submitted file

Source: Bank Swift Payment.bat.exe	Virustotal: Detection: 39%			Perma Link
Source: Bank Swift Payment.bat.exe	ReversingLabs: Detection: 47%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: Bank Swift Payment.bat.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.6:49692 version: TLS 1.0

Source: Bank Swift Payment.bat.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Code function: 4x nop then jmp 0105A2C1h	6_2_0105A010
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Code function: 4x nop then jmp 0105A88Ah	6_2_0105A470
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Code function: 4x nop then jmp 0105A88Ah	6_2_0105A7B7
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Code function: 4x nop then jmp 0105EF20h	6_2_0105EB00
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Code function: 4x nop then jmp 0105F378h	6_2_0105F0D0
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Code function: 4x nop then jmp 0105F7D0h	6_2_0105F528
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Code function: 4x nop then jmp 0105FC28h	6_2_0105F980

Source: global traffic

HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.21.48.1 104.21.48.1
Source: Joe Sandbox View	IP Address: 104.21.48.1 104.21.48.1
Source: Joe Sandbox View	IP Address: 193.122.130.0 193.122.130.0

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic

Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49691 -> 193.122.130.0:80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown

HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.6:49692 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: Bank Swift Payment.bat.exe, 00000006.00000002.2452286247.0000000002BDE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: Bank Swift Payment.bat.exe, 00000006.00000002.2452286247.0000000002BDE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.comd
Source: Bank Swift Payment.bat.exe, 00000006.00000002.2452286247.0000000002BDE000.00000004.00000800.00020000.00000000.sdmp, Bank Swift Payment.bat.exe, 00000006.00000002.2452286247.0000000002BC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: Bank Swift Payment.bat.exe, 00000006.00000002.2452286247.0000000002B61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: Bank Swift Payment.bat.exe, 00000006.00000002.2452286247.0000000002BDE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/d
Source: Bank Swift Payment.bat.exe, 00000000.00000002.1228970125.000000000374C000.00000004.00000800.00020000.00000000.sdmp, Bank Swift Payment.bat.exe, 00000006.00000002.2450189057.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: Bank Swift Payment.bat.exe, 00000006.00000002.2452286247.0000000002BDE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgd
Source: Bank Swift Payment.bat.exe, 00000006.00000002.2452286247.0000000002BFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: Bank Swift Payment.bat.exe, 00000006.00000002.2452286247.0000000002BFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.orgd
Source: Bank Swift Payment.bat.exe, 00000000.00000002.1228392257.0000000002681000.00000004.00000800.00020000.00000000.sdmp, Bank Swift Payment.bat.exe, 00000006.00000002.2452286247.0000000002B61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Bank Swift Payment.bat.exe, 00000000.00000002.1228970125.000000000374C000.00000004.00000800.00020000.00000000.sdmp, Bank Swift Payment.bat.exe, 00000006.00000002.2450189057.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: Bank Swift Payment.bat.exe, 00000006.00000002.2452286247.0000000002BDE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: Bank Swift Payment.bat.exe, 00000000.00000002.1228970125.000000000374C000.00000004.00000800.00020000.00000000.sdmp, Bank Swift Payment.bat.exe, 00000006.00000002.2452286247.0000000002BDE000.00000004.00000800.00020000.00000000.sdmp, Bank Swift Payment.bat.exe, 00000006.00000002.2450189057.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: Bank Swift Payment.bat.exe, 00000006.00000002.2452286247.0000000002BDE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
Source: Bank Swift Payment.bat.exe, 00000006.00000002.2452286247.0000000002BDE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49692
Source: unknown	Network traffic detected: HTTP traffic on port 49692 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.Bank Swift Payment.bat.exe.374cf80.3.raw.unpack, UltraSpeed.cs	.Net Code: VKCodeToUnicode
Source: 0.2.Bank Swift Payment.bat.exe.37645a0.4.raw.unpack, UltraSpeed.cs	.Net Code: VKCodeToUnicode

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.Bank Swift Payment.bat.exe.37645a0.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Bank Swift Payment.bat.exe.37645a0.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 6.2.Bank Swift Payment.bat.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 6.2.Bank Swift Payment.bat.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Bank Swift Payment.bat.exe.374cf80.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Bank Swift Payment.bat.exe.374cf80.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Bank Swift Payment.bat.exe.37645a0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Bank Swift Payment.bat.exe.374cf80.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000006.00000002.2450189057.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1228970125.000000000374C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Bank Swift Payment.bat.exe PID: 6932, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Bank Swift Payment.bat.exe PID: 7160, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Bank Swift Payment.bat.exe

Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Code function: 0_2_02553E1C	0_2_02553E1C
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Code function: 6_2_0105A010	6_2_0105A010
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Code function: 6_2_01052DD1	6_2_01052DD1
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Code function: 6_2_0105A000	6_2_0105A000
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Code function: 6_2_0105EB00	6_2_0105EB00
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Code function: 6_2_0105F0C0	6_2_0105F0C0
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Code function: 6_2_0105F0D0	6_2_0105F0D0
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Code function: 6_2_0105F518	6_2_0105F518
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Code function: 6_2_0105F528	6_2_0105F528
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Code function: 6_2_0105F970	6_2_0105F970
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Code function: 6_2_0105F980	6_2_0105F980

Source: Bank Swift Payment.bat.exe	Binary or memory string: OriginalFilename vs Bank Swift Payment.bat.exe
Source: Bank Swift Payment.bat.exe, 00000000.00000002.1228970125.000000000374C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs Bank Swift Payment.bat.exe
Source: Bank Swift Payment.bat.exe, 00000000.00000002.1228970125.000000000374C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Bank Swift Payment.bat.exe
Source: Bank Swift Payment.bat.exe, 00000000.00000002.1228392257.000000000287A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs Bank Swift Payment.bat.exe
Source: Bank Swift Payment.bat.exe, 00000000.00000002.1231125393.00000000069AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowerShell.EXE.MUI vs Bank Swift Payment.bat.exe
Source: Bank Swift Payment.bat.exe, 00000000.00000002.1228392257.0000000002681000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs Bank Swift Payment.bat.exe
Source: Bank Swift Payment.bat.exe, 00000000.00000002.1231629603.00000000085A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Bank Swift Payment.bat.exe
Source: Bank Swift Payment.bat.exe, 00000000.00000000.1195678128.0000000000390000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameVguu.exe8 vs Bank Swift Payment.bat.exe
Source: Bank Swift Payment.bat.exe, 00000000.00000002.1231388872.0000000006B60000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs Bank Swift Payment.bat.exe
Source: Bank Swift Payment.bat.exe, 00000000.00000002.1227630009.000000000093E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Bank Swift Payment.bat.exe
Source: Bank Swift Payment.bat.exe, 00000000.00000002.1228392257.0000000002762000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs Bank Swift Payment.bat.exe
Source: Bank Swift Payment.bat.exe, 00000006.00000002.2450189057.000000000041A000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs Bank Swift Payment.bat.exe
Source: Bank Swift Payment.bat.exe, 00000006.00000002.2450466192.0000000000B37000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Bank Swift Payment.bat.exe
Source: Bank Swift Payment.bat.exe	Binary or memory string: OriginalFilenameVguu.exe8 vs Bank Swift Payment.bat.exe

Source: Bank Swift Payment.bat.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.Bank Swift Payment.bat.exe.37645a0.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Bank Swift Payment.bat.exe.37645a0.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.Bank Swift Payment.bat.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 6.2.Bank Swift Payment.bat.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Bank Swift Payment.bat.exe.374cf80.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Bank Swift Payment.bat.exe.374cf80.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Bank Swift Payment.bat.exe.37645a0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Bank Swift Payment.bat.exe.374cf80.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000006.00000002.2450189057.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1228970125.000000000374C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Bank Swift Payment.bat.exe PID: 6932, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Bank Swift Payment.bat.exe PID: 7160, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: Bank Swift Payment.bat.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.Bank Swift Payment.bat.exe.374cf80.3.raw.unpack, UltraSpeed.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Bank Swift Payment.bat.exe.374cf80.3.raw.unpack, COVIDPickers.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Bank Swift Payment.bat.exe.37645a0.4.raw.unpack, UltraSpeed.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Bank Swift Payment.bat.exe.37645a0.4.raw.unpack, COVIDPickers.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.Bank Swift Payment.bat.exe.3808e70.5.raw.unpack, Dj3VdFjgRHxEx1WdNe.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.Bank Swift Payment.bat.exe.3808e70.5.raw.unpack, Dj3VdFjgRHxEx1WdNe.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Bank Swift Payment.bat.exe.3808e70.5.raw.unpack, Dj3VdFjgRHxEx1WdNe.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.Bank Swift Payment.bat.exe.85a0000.7.raw.unpack, Dj3VdFjgRHxEx1WdNe.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.Bank Swift Payment.bat.exe.85a0000.7.raw.unpack, Dj3VdFjgRHxEx1WdNe.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Bank Swift Payment.bat.exe.85a0000.7.raw.unpack, Dj3VdFjgRHxEx1WdNe.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.Bank Swift Payment.bat.exe.3808e70.5.raw.unpack, CFlheP56qLf1MrpxKA.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.Bank Swift Payment.bat.exe.3808e70.5.raw.unpack, CFlheP56qLf1MrpxKA.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Bank Swift Payment.bat.exe.85a0000.7.raw.unpack, CFlheP56qLf1MrpxKA.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.Bank Swift Payment.bat.exe.85a0000.7.raw.unpack, CFlheP56qLf1MrpxKA.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@8/6@2/2

Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Bank Swift Payment.bat.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Mutant created: \Sessions\1\BaseNamedObjects\JKqDRerfrwDAJRJIklsdwZELYzy
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7140:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xfvi515l.wfl.ps1

Jump to behavior

Source: Bank Swift Payment.bat.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Bank Swift Payment.bat.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Bank Swift Payment.bat.exe, 00000006.00000002.2452286247.0000000002C4E000.00000004.00000800.00020000.00000000.sdmp, Bank Swift Payment.bat.exe, 00000006.00000002.2452286247.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, Bank Swift Payment.bat.exe, 00000006.00000002.2452286247.0000000002C5D000.00000004.00000800.00020000.00000000.sdmp, Bank Swift Payment.bat.exe, 00000006.00000002.2452286247.0000000002C7E000.00000004.00000800.00020000.00000000.sdmp, Bank Swift Payment.bat.exe, 00000006.00000002.2452286247.0000000002C3F000.00000004.00000800.00020000.00000000.sdmp, Bank Swift Payment.bat.exe, 00000006.00000002.2453164715.0000000003B8D000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Bank Swift Payment.bat.exe	Virustotal: Detection: 39%
Source: Bank Swift Payment.bat.exe	ReversingLabs: Detection: 47%

Source: unknown	Process created: C:\Users\user\Desktop\Bank Swift Payment.bat.exe "C:\Users\user\Desktop\Bank Swift Payment.bat.exe"
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bank Swift Payment.bat.exe"
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process created: C:\Users\user\Desktop\Bank Swift Payment.bat.exe "C:\Users\user\Desktop\Bank Swift Payment.bat.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process created: C:\Users\user\Desktop\Bank Swift Payment.bat.exe "C:\Users\user\Desktop\Bank Swift Payment.bat.exe"
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bank Swift Payment.bat.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process created: C:\Users\user\Desktop\Bank Swift Payment.bat.exe "C:\Users\user\Desktop\Bank Swift Payment.bat.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process created: C:\Users\user\Desktop\Bank Swift Payment.bat.exe "C:\Users\user\Desktop\Bank Swift Payment.bat.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Bank Swift Payment.bat.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Bank Swift Payment.bat.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.Bank Swift Payment.bat.exe.3808e70.5.raw.unpack, Dj3VdFjgRHxEx1WdNe.cs	.Net Code: n6dg0uGHHb System.Reflection.Assembly.Load(byte[])
Source: 0.2.Bank Swift Payment.bat.exe.85a0000.7.raw.unpack, Dj3VdFjgRHxEx1WdNe.cs	.Net Code: n6dg0uGHHb System.Reflection.Assembly.Load(byte[])

Source: Bank Swift Payment.bat.exe

Static PE information: section name: .text entropy: 7.810036719224538

Source: 0.2.Bank Swift Payment.bat.exe.3808e70.5.raw.unpack, hqe9kAZoFff5VOnnbX.cs	High entropy of concatenated method names: 'bsuNs6XwPl', 'TMHNP6XFqq', 'W5GNHZ9ayR', 'SNENlIOEMK', 'Vg2Nj7CVeL', 'GZlHrIQY5L', 'nMsHtAiKYh', 'g2jH1EjHHW', 'bJxH3Zob3D', 'DL8Hn8TGmD'
Source: 0.2.Bank Swift Payment.bat.exe.3808e70.5.raw.unpack, WUocbYncXuKIrVM7yl.cs	High entropy of concatenated method names: 'Iku4ZwtoOw', 'FgY4wpWgnx', 'hTZ4e9kEv8', 'W4H4yIh2Ks', 'yOh4b7BDUw', 'jJo4Gl46B1', 'Cvy4p9DTPj', 'Sja4DtYQR8', 'i154XM7UOw', 'I7e4O69rZj'
Source: 0.2.Bank Swift Payment.bat.exe.3808e70.5.raw.unpack, AFa4XMuonMGoLkZQHJ.cs	High entropy of concatenated method names: 'ToString', 'r57YAI9ajY', 'INQYw70R4w', 'Ns0YeZcoUW', 'eKBYya4u0s', 'REDYbiXhws', 'Hf3YGZQDif', 'whoYpY2bSA', 'gBpYDDSBRr', 'xLUYXd5T01'
Source: 0.2.Bank Swift Payment.bat.exe.3808e70.5.raw.unpack, gCOwRlXcK80Yld9YUj.cs	High entropy of concatenated method names: 'CO6laBCdeL', 'Y4FlJbk0IF', 'yJPl0TEj9a', 'qfdlEYdunK', 'FDqlMAr2sU', 'BnAlcNIBKZ', 'uhplowXcL2', 'AYEl5wblrg', 'J4Lld2yqsA', 'dDVlixpWHH'
Source: 0.2.Bank Swift Payment.bat.exe.3808e70.5.raw.unpack, rmdZ9CPs3WIXyWL5gZ.cs	High entropy of concatenated method names: 'Dispose', 'MyDWnb8cOB', 'MNfBwAZpo6', 'EIHPHtMtMb', 'W9WWfiJcne', 'r2PWzC54Gj', 'ProcessDialogKey', 'O63BQUocbY', 'CXuBWKIrVM', 'nylBB631Q0'
Source: 0.2.Bank Swift Payment.bat.exe.3808e70.5.raw.unpack, CFlheP56qLf1MrpxKA.cs	High entropy of concatenated method names: 'Q7EP2bDOnG', 'abIPKkbMil', 'bD1PuY7v0i', 'DoKPmyNgrw', 'ANpPrqLxPK', 'VNmPtvypak', 'AeOP1IZQ3D', 'DXbP3xCcP0', 'oWOPntMGfd', 'Be7PfT04Lc'
Source: 0.2.Bank Swift Payment.bat.exe.3808e70.5.raw.unpack, TCUrtpWgq9hXrwNKT22.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'wRhU4Uo8GH', 'cJ9ULgJ8oE', 'iSyUvuUJth', 'YhBUUGXQJ2', 'peDUSblWYf', 'leZURmEwcF', 'rmgUkwEecF'
Source: 0.2.Bank Swift Payment.bat.exe.3808e70.5.raw.unpack, QhdGNpBjjAxxEMfdkE.cs	High entropy of concatenated method names: 'umE03V0yj', 'VccEgAP11', 'ctHcEvG8h', 'HNkoNJokY', 'UAHdZ0GH3', 'yp7ixRg5O', 'KcnZaw7I0rl98c56AT', 'CTXMgs6LyDPANlQEPo', 'xf7q7PLFt', 'fswLQOmyf'
Source: 0.2.Bank Swift Payment.bat.exe.3808e70.5.raw.unpack, Dj3VdFjgRHxEx1WdNe.cs	High entropy of concatenated method names: 'Elm6smxiwt', 'Ga76IvEAR6', 'ICB6PeyPDV', 'Cat6T4plnf', 'GHJ6HMeMGt', 'oic6NJWrep', 'k6Y6ll8XOJ', 'DIE6jjAtL2', 'Ck86hYiNml', 'Gnf6Fy1Y9E'
Source: 0.2.Bank Swift Payment.bat.exe.3808e70.5.raw.unpack, QxAEtadxaLBSZZQuPI.cs	High entropy of concatenated method names: 'FLPTEdlcIy', 'xZoTcvWqlc', 'AWnT5vAmKK', 'yeKTdUOhWA', 'n9lTxPVBq6', 'EoiTYv2Ndw', 'ss7TVlT1eG', 'djjTqG6WdA', 'XGRT4gV8xe', 'OgJTL6IThZ'
Source: 0.2.Bank Swift Payment.bat.exe.3808e70.5.raw.unpack, jhbJ4iWWmD80OLfSfuC.cs	High entropy of concatenated method names: 'SOYLfEd6ou', 'FPOLzFjJnr', 'tllvQvZ2Q9', 'NNRvWMnWYj', 'HHxvBeEYNW', 'RvRv6Iwj9I', 'wiOvglH0ok', 'p2hvs8H7jG', 'MELvID9TU5', 'ssavPfuNQY'
Source: 0.2.Bank Swift Payment.bat.exe.3808e70.5.raw.unpack, yBI7f7imZ2ghWxSgMK.cs	High entropy of concatenated method names: 'sQHHMNOMUN', 'vglHoKq2dX', 'soJTeEGbP8', 'sUPTyD7NZa', 'mvDTbQO43G', 'nFZTGQ9mpm', 'xmBTpscLH6', 'w8TTDLNDa8', 'bwkTX7UdhX', 'Dp8TO1CIpA'
Source: 0.2.Bank Swift Payment.bat.exe.3808e70.5.raw.unpack, LdmjBPzOe233j7LYE6.cs	High entropy of concatenated method names: 'CpXLcq5RnS', 'l5SL5b1fhV', 'AcKLdUtbl2', 'Py0LZY9HES', 'o3hLwOR4D7', 'PdFLypQZRn', 'eNbLbK7q1R', 'NGILkFHetH', 'DV8LatePhc', 'Y2sLJViLtk'
Source: 0.2.Bank Swift Payment.bat.exe.3808e70.5.raw.unpack, svOoCJgBe7BbPvdOhr.cs	High entropy of concatenated method names: 'qmoWlFlheP', 'cqLWjf1Mrp', 'xxaWFLBSZZ', 'auPW9IJBI7', 'oSgWxMKHqe', 'nkAWYoFff5', 'AhQVShVbhAj56jTcmW', 'aDw1Aub1h2WhVjOVUM', 'CZiWWNPWpb', 'fHHW6H2iWq'
Source: 0.2.Bank Swift Payment.bat.exe.3808e70.5.raw.unpack, kkHfnwtsY3OcEV2QGB.cs	High entropy of concatenated method names: 'mBsV3113cf', 'O3fVfHe3wG', 'j5tqQZLQcL', 'b6FqWvMMPb', 'W2fVAAYPoa', 'J6FVCuFCcd', 'YTcV8ILeNC', 'iFlV2sVroI', 'QBWVKjcAsX', 'MITVuH32cX'
Source: 0.2.Bank Swift Payment.bat.exe.3808e70.5.raw.unpack, zOgEWEm7sF4Wf21xL1.cs	High entropy of concatenated method names: 'Jf7VFb0Glw', 'cMgV9f1Vky', 'ToString', 'pfMVIOPAY1', 'h7wVPIOcLy', 'IvZVTWNM5M', 'nqEVHxaFTN', 'jytVNjfTKu', 'RBSVlAQtxZ', 'KuXVjcug9r'
Source: 0.2.Bank Swift Payment.bat.exe.3808e70.5.raw.unpack, OLUjf3pdQxd31sW4QL.cs	High entropy of concatenated method names: 'vvKlIut7of', 'ejTlTPGIsy', 'pUjlNY07We', 'G7xNfsVyvW', 'udHNzJsYaW', 'vR3lQ6fcgq', 'wO6lWEMEL8', 'CmglBeys9W', 'LZcl6YP13Y', 'YOGlg44wae'
Source: 0.2.Bank Swift Payment.bat.exe.3808e70.5.raw.unpack, tOMOs01vLDyDb8cOB1.cs	High entropy of concatenated method names: 'htP4xiNaEf', 'Lif4VZLn9G', 'P4844lZG3o', 'TuR4vA2kjZ', 'XjU4S5g0BG', 'K9Q4kKU2ZP', 'Dispose', 'oLKqIGrrn6', 'fV9qPcTLsY', 'NFFqTK3o9v'
Source: 0.2.Bank Swift Payment.bat.exe.3808e70.5.raw.unpack, ndyJgt8IBrZ5wvvYmp.cs	High entropy of concatenated method names: 'zlT75OcLDK', 'xT77dMy3nj', 'mFD7ZQt9n9', 'gTr7w5TWUj', 'ULe7ytTBNP', 'LJT7bM59wB', 'IyR7p5EL28', 'Cho7DBtJCj', 'iED7OvHIaN', 'Gn77ApEshi'
Source: 0.2.Bank Swift Payment.bat.exe.3808e70.5.raw.unpack, d31Q0afGsyMHaxiR66.cs	High entropy of concatenated method names: 'sSELTqVoBN', 'vsGLHCsyF9', 'prrLNTkqNB', 'tgfLl2UMdw', 'qjvL4cJXdF', 'R3QLjiB5uy', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Bank Swift Payment.bat.exe.85a0000.7.raw.unpack, hqe9kAZoFff5VOnnbX.cs	High entropy of concatenated method names: 'bsuNs6XwPl', 'TMHNP6XFqq', 'W5GNHZ9ayR', 'SNENlIOEMK', 'Vg2Nj7CVeL', 'GZlHrIQY5L', 'nMsHtAiKYh', 'g2jH1EjHHW', 'bJxH3Zob3D', 'DL8Hn8TGmD'
Source: 0.2.Bank Swift Payment.bat.exe.85a0000.7.raw.unpack, WUocbYncXuKIrVM7yl.cs	High entropy of concatenated method names: 'Iku4ZwtoOw', 'FgY4wpWgnx', 'hTZ4e9kEv8', 'W4H4yIh2Ks', 'yOh4b7BDUw', 'jJo4Gl46B1', 'Cvy4p9DTPj', 'Sja4DtYQR8', 'i154XM7UOw', 'I7e4O69rZj'
Source: 0.2.Bank Swift Payment.bat.exe.85a0000.7.raw.unpack, AFa4XMuonMGoLkZQHJ.cs	High entropy of concatenated method names: 'ToString', 'r57YAI9ajY', 'INQYw70R4w', 'Ns0YeZcoUW', 'eKBYya4u0s', 'REDYbiXhws', 'Hf3YGZQDif', 'whoYpY2bSA', 'gBpYDDSBRr', 'xLUYXd5T01'
Source: 0.2.Bank Swift Payment.bat.exe.85a0000.7.raw.unpack, gCOwRlXcK80Yld9YUj.cs	High entropy of concatenated method names: 'CO6laBCdeL', 'Y4FlJbk0IF', 'yJPl0TEj9a', 'qfdlEYdunK', 'FDqlMAr2sU', 'BnAlcNIBKZ', 'uhplowXcL2', 'AYEl5wblrg', 'J4Lld2yqsA', 'dDVlixpWHH'
Source: 0.2.Bank Swift Payment.bat.exe.85a0000.7.raw.unpack, rmdZ9CPs3WIXyWL5gZ.cs	High entropy of concatenated method names: 'Dispose', 'MyDWnb8cOB', 'MNfBwAZpo6', 'EIHPHtMtMb', 'W9WWfiJcne', 'r2PWzC54Gj', 'ProcessDialogKey', 'O63BQUocbY', 'CXuBWKIrVM', 'nylBB631Q0'
Source: 0.2.Bank Swift Payment.bat.exe.85a0000.7.raw.unpack, CFlheP56qLf1MrpxKA.cs	High entropy of concatenated method names: 'Q7EP2bDOnG', 'abIPKkbMil', 'bD1PuY7v0i', 'DoKPmyNgrw', 'ANpPrqLxPK', 'VNmPtvypak', 'AeOP1IZQ3D', 'DXbP3xCcP0', 'oWOPntMGfd', 'Be7PfT04Lc'
Source: 0.2.Bank Swift Payment.bat.exe.85a0000.7.raw.unpack, TCUrtpWgq9hXrwNKT22.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'wRhU4Uo8GH', 'cJ9ULgJ8oE', 'iSyUvuUJth', 'YhBUUGXQJ2', 'peDUSblWYf', 'leZURmEwcF', 'rmgUkwEecF'
Source: 0.2.Bank Swift Payment.bat.exe.85a0000.7.raw.unpack, QhdGNpBjjAxxEMfdkE.cs	High entropy of concatenated method names: 'umE03V0yj', 'VccEgAP11', 'ctHcEvG8h', 'HNkoNJokY', 'UAHdZ0GH3', 'yp7ixRg5O', 'KcnZaw7I0rl98c56AT', 'CTXMgs6LyDPANlQEPo', 'xf7q7PLFt', 'fswLQOmyf'
Source: 0.2.Bank Swift Payment.bat.exe.85a0000.7.raw.unpack, Dj3VdFjgRHxEx1WdNe.cs	High entropy of concatenated method names: 'Elm6smxiwt', 'Ga76IvEAR6', 'ICB6PeyPDV', 'Cat6T4plnf', 'GHJ6HMeMGt', 'oic6NJWrep', 'k6Y6ll8XOJ', 'DIE6jjAtL2', 'Ck86hYiNml', 'Gnf6Fy1Y9E'
Source: 0.2.Bank Swift Payment.bat.exe.85a0000.7.raw.unpack, QxAEtadxaLBSZZQuPI.cs	High entropy of concatenated method names: 'FLPTEdlcIy', 'xZoTcvWqlc', 'AWnT5vAmKK', 'yeKTdUOhWA', 'n9lTxPVBq6', 'EoiTYv2Ndw', 'ss7TVlT1eG', 'djjTqG6WdA', 'XGRT4gV8xe', 'OgJTL6IThZ'
Source: 0.2.Bank Swift Payment.bat.exe.85a0000.7.raw.unpack, jhbJ4iWWmD80OLfSfuC.cs	High entropy of concatenated method names: 'SOYLfEd6ou', 'FPOLzFjJnr', 'tllvQvZ2Q9', 'NNRvWMnWYj', 'HHxvBeEYNW', 'RvRv6Iwj9I', 'wiOvglH0ok', 'p2hvs8H7jG', 'MELvID9TU5', 'ssavPfuNQY'
Source: 0.2.Bank Swift Payment.bat.exe.85a0000.7.raw.unpack, yBI7f7imZ2ghWxSgMK.cs	High entropy of concatenated method names: 'sQHHMNOMUN', 'vglHoKq2dX', 'soJTeEGbP8', 'sUPTyD7NZa', 'mvDTbQO43G', 'nFZTGQ9mpm', 'xmBTpscLH6', 'w8TTDLNDa8', 'bwkTX7UdhX', 'Dp8TO1CIpA'
Source: 0.2.Bank Swift Payment.bat.exe.85a0000.7.raw.unpack, LdmjBPzOe233j7LYE6.cs	High entropy of concatenated method names: 'CpXLcq5RnS', 'l5SL5b1fhV', 'AcKLdUtbl2', 'Py0LZY9HES', 'o3hLwOR4D7', 'PdFLypQZRn', 'eNbLbK7q1R', 'NGILkFHetH', 'DV8LatePhc', 'Y2sLJViLtk'
Source: 0.2.Bank Swift Payment.bat.exe.85a0000.7.raw.unpack, svOoCJgBe7BbPvdOhr.cs	High entropy of concatenated method names: 'qmoWlFlheP', 'cqLWjf1Mrp', 'xxaWFLBSZZ', 'auPW9IJBI7', 'oSgWxMKHqe', 'nkAWYoFff5', 'AhQVShVbhAj56jTcmW', 'aDw1Aub1h2WhVjOVUM', 'CZiWWNPWpb', 'fHHW6H2iWq'
Source: 0.2.Bank Swift Payment.bat.exe.85a0000.7.raw.unpack, kkHfnwtsY3OcEV2QGB.cs	High entropy of concatenated method names: 'mBsV3113cf', 'O3fVfHe3wG', 'j5tqQZLQcL', 'b6FqWvMMPb', 'W2fVAAYPoa', 'J6FVCuFCcd', 'YTcV8ILeNC', 'iFlV2sVroI', 'QBWVKjcAsX', 'MITVuH32cX'
Source: 0.2.Bank Swift Payment.bat.exe.85a0000.7.raw.unpack, zOgEWEm7sF4Wf21xL1.cs	High entropy of concatenated method names: 'Jf7VFb0Glw', 'cMgV9f1Vky', 'ToString', 'pfMVIOPAY1', 'h7wVPIOcLy', 'IvZVTWNM5M', 'nqEVHxaFTN', 'jytVNjfTKu', 'RBSVlAQtxZ', 'KuXVjcug9r'
Source: 0.2.Bank Swift Payment.bat.exe.85a0000.7.raw.unpack, OLUjf3pdQxd31sW4QL.cs	High entropy of concatenated method names: 'vvKlIut7of', 'ejTlTPGIsy', 'pUjlNY07We', 'G7xNfsVyvW', 'udHNzJsYaW', 'vR3lQ6fcgq', 'wO6lWEMEL8', 'CmglBeys9W', 'LZcl6YP13Y', 'YOGlg44wae'
Source: 0.2.Bank Swift Payment.bat.exe.85a0000.7.raw.unpack, tOMOs01vLDyDb8cOB1.cs	High entropy of concatenated method names: 'htP4xiNaEf', 'Lif4VZLn9G', 'P4844lZG3o', 'TuR4vA2kjZ', 'XjU4S5g0BG', 'K9Q4kKU2ZP', 'Dispose', 'oLKqIGrrn6', 'fV9qPcTLsY', 'NFFqTK3o9v'
Source: 0.2.Bank Swift Payment.bat.exe.85a0000.7.raw.unpack, ndyJgt8IBrZ5wvvYmp.cs	High entropy of concatenated method names: 'zlT75OcLDK', 'xT77dMy3nj', 'mFD7ZQt9n9', 'gTr7w5TWUj', 'ULe7ytTBNP', 'LJT7bM59wB', 'IyR7p5EL28', 'Cho7DBtJCj', 'iED7OvHIaN', 'Gn77ApEshi'
Source: 0.2.Bank Swift Payment.bat.exe.85a0000.7.raw.unpack, d31Q0afGsyMHaxiR66.cs	High entropy of concatenated method names: 'sSELTqVoBN', 'vsGLHCsyF9', 'prrLNTkqNB', 'tgfLl2UMdw', 'qjvL4cJXdF', 'R3QLjiB5uy', 'Next', 'Next', 'Next', 'NextBytes'

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: Bank Swift Payment.bat.exe PID: 6932, type: MEMORYSTR

Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Memory allocated: 24B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Memory allocated: 2680000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Memory allocated: 24B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Memory allocated: 8750000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Memory allocated: 9750000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Memory allocated: 9950000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Memory allocated: A950000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Memory allocated: 1000000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Memory allocated: 2B60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Memory allocated: 2940000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6936			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2817			Jump to behavior

Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe TID: 3548	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7324	Thread sleep time: -2767011611056431s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: Bank Swift Payment.bat.exe, 00000000.00000002.1231125393.0000000006960000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\4
Source: Bank Swift Payment.bat.exe, 00000000.00000002.1231125393.0000000006960000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Bank Swift Payment.bat.exe, 00000006.00000002.2451423824.0000000000EE8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll/&uz

Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 0.2.Bank Swift Payment.bat.exe.374cf80.3.raw.unpack, UltraSpeed.cs	Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: 0.2.Bank Swift Payment.bat.exe.374cf80.3.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
Source: 0.2.Bank Swift Payment.bat.exe.374cf80.3.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: hModuleList.Add(LoadLibrary(text9 + "\\mozglue.dll"))

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bank Swift Payment.bat.exe"
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bank Swift Payment.bat.exe"			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe

Memory written: C:\Users\user\Desktop\Bank Swift Payment.bat.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bank Swift Payment.bat.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process created: C:\Users\user\Desktop\Bank Swift Payment.bat.exe "C:\Users\user\Desktop\Bank Swift Payment.bat.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Process created: C:\Users\user\Desktop\Bank Swift Payment.bat.exe "C:\Users\user\Desktop\Bank Swift Payment.bat.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Queries volume information: C:\Users\user\Desktop\Bank Swift Payment.bat.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Queries volume information: C:\Users\user\Desktop\Bank Swift Payment.bat.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected MSIL Logger

Source: Yara match	File source: 0.2.Bank Swift Payment.bat.exe.37645a0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Bank Swift Payment.bat.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bank Swift Payment.bat.exe.374cf80.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bank Swift Payment.bat.exe.37645a0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bank Swift Payment.bat.exe.374cf80.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2450189057.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1228970125.000000000374C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Bank Swift Payment.bat.exe PID: 6932, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Bank Swift Payment.bat.exe PID: 7160, type: MEMORYSTR

Yara detected MassLogger RAT

Source: Yara match	File source: 0.2.Bank Swift Payment.bat.exe.37645a0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Bank Swift Payment.bat.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bank Swift Payment.bat.exe.374cf80.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bank Swift Payment.bat.exe.37645a0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bank Swift Payment.bat.exe.374cf80.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2450189057.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1228970125.000000000374C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Bank Swift Payment.bat.exe PID: 6932, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Bank Swift Payment.bat.exe PID: 7160, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.Bank Swift Payment.bat.exe.37645a0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Bank Swift Payment.bat.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bank Swift Payment.bat.exe.374cf80.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bank Swift Payment.bat.exe.37645a0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bank Swift Payment.bat.exe.374cf80.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2450189057.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1228970125.000000000374C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Bank Swift Payment.bat.exe PID: 6932, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Bank Swift Payment.bat.exe PID: 7160, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Bank Swift Payment.bat.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Remote Access Functionality

Yara detected MSIL Logger

Source: Yara match	File source: 0.2.Bank Swift Payment.bat.exe.37645a0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Bank Swift Payment.bat.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bank Swift Payment.bat.exe.374cf80.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bank Swift Payment.bat.exe.37645a0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bank Swift Payment.bat.exe.374cf80.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2450189057.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1228970125.000000000374C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Bank Swift Payment.bat.exe PID: 6932, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Bank Swift Payment.bat.exe PID: 7160, type: MEMORYSTR

Yara detected MassLogger RAT

Source: Yara match	File source: 0.2.Bank Swift Payment.bat.exe.37645a0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Bank Swift Payment.bat.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bank Swift Payment.bat.exe.374cf80.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bank Swift Payment.bat.exe.37645a0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bank Swift Payment.bat.exe.374cf80.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2450189057.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1228970125.000000000374C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Bank Swift Payment.bat.exe PID: 6932, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Bank Swift Payment.bat.exe PID: 7160, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.Bank Swift Payment.bat.exe.37645a0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Bank Swift Payment.bat.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bank Swift Payment.bat.exe.374cf80.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bank Swift Payment.bat.exe.37645a0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bank Swift Payment.bat.exe.374cf80.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2450189057.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1228970125.000000000374C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Bank Swift Payment.bat.exe PID: 6932, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Bank Swift Payment.bat.exe PID: 7160, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	111 Process Injection	1 Masquerading	1 OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Disable or Modify Tools	1 Input Capture	1 Process Discovery	Remote Desktop Protocol	1 Input Capture	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	11 Archive Collected Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	1 Data from Local System	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	13 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Bank Swift Payment.bat.exe	40%	Virustotal		Browse
Bank Swift Payment.bat.exe	47%	ReversingLabs	ByteCode-MSIL.Backdoor.njRAT
Bank Swift Payment.bat.exe	100%	Avira	HEUR/AGEN.1306911

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.48.1	true	false	high
checkip.dyndns.com	193.122.130.0	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high
https://reallyfreegeoip.org/xml/8.46.123.189	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189l	Bank Swift Payment.bat.exe, 00000006.00000002.2452286247.0000000002BDE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.comd	Bank Swift Payment.bat.exe, 00000006.00000002.2452286247.0000000002BDE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	Bank Swift Payment.bat.exe, 00000000.00000002.1228970125.000000000374C000.00000004.00000800.00020000.00000000.sdmp, Bank Swift Payment.bat.exe, 00000006.00000002.2450189057.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.orgd	Bank Swift Payment.bat.exe, 00000006.00000002.2452286247.0000000002BFB000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189d	Bank Swift Payment.bat.exe, 00000006.00000002.2452286247.0000000002BDE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.org	Bank Swift Payment.bat.exe, 00000006.00000002.2452286247.0000000002BFB000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.orgd	Bank Swift Payment.bat.exe, 00000006.00000002.2452286247.0000000002BDE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org	Bank Swift Payment.bat.exe, 00000006.00000002.2452286247.0000000002BDE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	Bank Swift Payment.bat.exe, 00000006.00000002.2452286247.0000000002BDE000.00000004.00000800.00020000.00000000.sdmp, Bank Swift Payment.bat.exe, 00000006.00000002.2452286247.0000000002BC2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.com	Bank Swift Payment.bat.exe, 00000006.00000002.2452286247.0000000002BDE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/d	Bank Swift Payment.bat.exe, 00000006.00000002.2452286247.0000000002BDE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Bank Swift Payment.bat.exe, 00000000.00000002.1228392257.0000000002681000.00000004.00000800.00020000.00000000.sdmp, Bank Swift Payment.bat.exe, 00000006.00000002.2452286247.0000000002B61000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot-/sendDocument?chat_id=	Bank Swift Payment.bat.exe, 00000000.00000002.1228970125.000000000374C000.00000004.00000800.00020000.00000000.sdmp, Bank Swift Payment.bat.exe, 00000006.00000002.2450189057.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	Bank Swift Payment.bat.exe, 00000000.00000002.1228970125.000000000374C000.00000004.00000800.00020000.00000000.sdmp, Bank Swift Payment.bat.exe, 00000006.00000002.2452286247.0000000002BDE000.00000004.00000800.00020000.00000000.sdmp, Bank Swift Payment.bat.exe, 00000006.00000002.2450189057.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.48.1	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false
193.122.130.0	checkip.dyndns.com	United States		31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1637287
Start date and time:	2025-03-13 13:48:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 43s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Bank Swift Payment.bat.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@8/6@2/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 93% Number of executed functions: 68 Number of non-executed functions: 4
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.60.203.209, 172.202.163.200
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Bank Swift Payment.bat.exe, PID 7160 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
08:49:04	API Interceptor	1x Sleep call for process: Bank Swift Payment.bat.exe modified
08:49:05	API Interceptor	8x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.48.1	ySUB97Jq80.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.shlomi.app/9rzh/
	hQaXUS5gt0.exe	Get hash	malicious	FormBook	Browse	www.newanthoperso.shop/3nis/
	6nA8ZygZLP.exe	Get hash	malicious	FormBook	Browse	www.rbopisalive.cyou/2dxw/
	UhuGtHUgHf.exe	Get hash	malicious	FormBook	Browse	www.enoughmoney.online/z9gb/
	Bill_of_Lading_20250307_pdf.bat.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/sccc/five/fre.php
	Stormwater Works Drawings Spec.js	Get hash	malicious	FormBook	Browse	www.lucynoel6465.shop/jgkl/
	Shipment Delivery No DE0093002-PDF.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/tking3/five/fre.php
	Remittance_CT022024.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/fix/five/fre.php
	http://microsoft-sharepoint4543464633.pages.dev/index-2jc93/	Get hash	malicious	HTMLPhisher	Browse	microsoft-sharepoint4543464633.pages.dev/index-2jc93/
	install.exe	Get hash	malicious	Babadeda	Browse	api.secureserver.top/api/files/winpleskdedicated/installer.exe?key=winpleskdedicated
193.122.130.0	NDQ211216GM08.exe.bin.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	QUOTATION_MARQUOTE312025#U00faPDF.scr	Get hash	malicious	MSIL Logger	Browse	checkip.dyndns.org/
	efs.hta	Get hash	malicious	Cobalt Strike, MSIL Logger, MassLogger RAT	Browse	checkip.dyndns.org/
	SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	y79a2l1FY5.exe	Get hash	malicious	DBatLoader, MSIL Logger, MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	mybestgirlfriendwalkingaroundtheworld.hta	Get hash	malicious	Cobalt Strike, DBatLoader, MSIL Logger, MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	Payment_Advise.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	Yeni Sat#U0131nalma Sipari#U015fi.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	checkip.dyndns.org/
	MALZEME G_0017 TABANCA SPREY NOZUL.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	NDQ211216GM08.exe.bin.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.130.0
	2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	QUOTATION_MARQUOTE312025#U00faPDF.scr	Get hash	malicious	MSIL Logger	Browse	193.122.130.0
	SOA Since OCT DEC 241738316681530012900.bat	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	SecuriteInfo.com.Win32.DropperX-gen.23511.10885.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	PO-2513203-PDF.js	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	justificante de transferencia09454545.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242
	QUOTATION_FEBQUOTE312025#U00faPDF.scr	Get hash	malicious	MSIL Logger	Browse	158.101.44.242
	efs.hta	Get hash	malicious	Cobalt Strike, MSIL Logger, MassLogger RAT	Browse	193.122.130.0
	Product Order Hirsch 1475.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
reallyfreegeoip.org	NDQ211216GM08.exe.bin.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.80.1
	2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	QUOTATION_MARQUOTE312025#U00faPDF.scr	Get hash	malicious	MSIL Logger	Browse	104.21.32.1
	SOA Since OCT DEC 241738316681530012900.bat	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.32.1
	SecuriteInfo.com.Win32.DropperX-gen.23511.10885.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	PO-2513203-PDF.js	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	justificante de transferencia09454545.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.112.1
	QUOTATION_FEBQUOTE312025#U00faPDF.scr	Get hash	malicious	MSIL Logger	Browse	104.21.64.1
	efs.hta	Get hash	malicious	Cobalt Strike, MSIL Logger, MassLogger RAT	Browse	104.21.48.1
	Product Order Hirsch 1475.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Arly.exe1.exe	Get hash	malicious	LummaC Stealer, Xmrig	Browse	172.67.19.24
	CheatInjector.exe1.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	SoftWare.exe1.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	FortniteHack.exe1.exe	Get hash	malicious	LummaC Stealer, Xmrig	Browse	188.114.96.3
	NDQ211216GM08.exe.bin.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.80.1
	setupx 1.exe1.exe	Get hash	malicious	LummaC Stealer, Xmrig	Browse	172.67.19.24
	Installer64x.exe1.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	setupx 2.exe1.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	ModMenu.exe1.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	SoftWare(2).exe1.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
ORACLE-BMC-31898US	NDQ211216GM08.exe.bin.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.130.0
	2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	QUOTATION_MARQUOTE312025#U00faPDF.scr	Get hash	malicious	MSIL Logger	Browse	193.122.130.0
	justificante de transferencia09454545.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242
	QUOTATION_FEBQUOTE312025#U00faPDF.scr	Get hash	malicious	MSIL Logger	Browse	158.101.44.242
	efs.hta	Get hash	malicious	Cobalt Strike, MSIL Logger, MassLogger RAT	Browse	193.122.130.0
	category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	8QeI7CboDY.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	158.101.44.242
	y79a2l1FY5.exe	Get hash	malicious	DBatLoader, MSIL Logger, MassLogger RAT, PureLog Stealer	Browse	193.122.130.0

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	NDQ211216GM08.exe.bin.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.48.1
	2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.48.1
	Order 20201103.exe	Get hash	malicious	RedLine	Browse	104.21.48.1
	SOA Since OCT DEC 241738316681530012900.bat	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.48.1
	SecuriteInfo.com.Win32.DropperX-gen.23511.10885.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.48.1
	PO-2513203-PDF.js	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.48.1
	justificante de transferencia09454545.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.48.1
	QUOTATION_FEBQUOTE312025#U00faPDF.scr	Get hash	malicious	MSIL Logger	Browse	104.21.48.1
	efs.hta	Get hash	malicious	Cobalt Strike, MSIL Logger, MassLogger RAT	Browse	104.21.48.1
	Product Order Hirsch 1475.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1

Process:	C:\Users\user\Desktop\Bank Swift Payment.bat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1172
Entropy (8bit):	5.356731422178564
Encrypted:	false
SSDEEP:	24:3CytZWSKco4KmZjKbmOIKodL1s4RPxmoUP7mZ9t7J0gt/NKIl9ia8Hu:yyjWSU4xympg4REoUP7mZ9tK8NDT
MD5:	3C1F4EB8A24AEA81BE3872D55244E4D4
SHA1:	0A0F4B0098DE41EF9220BBC721B6B6E984828E64
SHA-256:	A286BF07961244251E9D20581E3E1BEBC5CAB6A0D85F3E3D0280BE2A330B71BC
SHA-512:	B7F8709BAB447AD0443C692599B3D290C9E3E04DCAF34E1D124C60C7E9B10EFF0E68E72945B97397F84B1627DE3BD83596915235F21663AF67B891929300C4E5
Malicious:	false
Reputation:	low
Preview:	@...e.................................^..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1s22uek3.rpy.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_njrozhuy.yv2.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xfvi515l.wfl.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ytwdzvdo.iw1.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.801973953713205
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Bank Swift Payment.bat.exe
File size:	517'632 bytes
MD5:	6157bd9e1f8f34619e222262a71b79cd
SHA1:	31818fbc3eec3c641f28bbcf94c59dea97f1cacf
SHA256:	3c7f61519b46af007450df7ef19b49df3a8b60d0b7c4fd82112068994262be6e
SHA512:	17118d382e8b07696d3a5c7ae8a869ed8cf1e88bde780c907662a2b1f33de8ec58a9dfdb080251b61dc0e7f21435644c34c3aa0282dcd5878dd30818606ccaf5
SSDEEP:	12288:85MOiV1JqhSvYg7IYU/2UPkY1Gp3/B/dQ/Wb8T2DQDs:85MOiX3A9zjM3jQ/Wb8aD+s
TLSH:	14B412F4935ACD62EEE617710933D27256BA5F6CF012C70387E9FEEF3801222650959A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...6S.g..............0...... ......v.... ........@.. .......................@............`................................

File Icon


Icon Hash:	c490e8cccce890cc

Static PE Info

General

Entrypoint:	0x47e276
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67D25336 [Thu Mar 13 03:38:30 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7e224	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x80000	0x1de8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x82000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x7c27c	0x7c400	ac6f7f3e7aa28473712cc573b4430c9c	False	0.9141076930331992	zlib compressed data	7.810036719224538	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x80000	0x1de8	0x1e00	5afefcf8f78648fdbc6ea01646afa161	False	0.878125	data	7.489933166594714	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x82000	0xc	0x200	4afc72be92ef401dc7f2576ea2e73daf	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x800c8	0x19d1	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9506733242548041
RT_GROUP_ICON	0x81aac	0x14	data	1.05
RT_VERSION	0x81ad0	0x314	data	0.4352791878172589

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
Comments
CompanyName
FileDescription	WFBind.Demo
FileVersion	1.0.0.0
InternalName	Vguu.exe
LegalCopyright	Copyright 2016
LegalTrademarks
OriginalFilename	Vguu.exe
ProductName	WFBind.Demo
ProductVersion	1.0.0.0
Assembly Version	1.0.0.0

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-03-13T13:49:07.986612+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49691	193.122.130.0	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 13, 2025 13:49:06.575491905 CET	49691	80	192.168.2.6	193.122.130.0
Mar 13, 2025 13:49:06.580329895 CET	80	49691	193.122.130.0	192.168.2.6
Mar 13, 2025 13:49:06.580406904 CET	49691	80	192.168.2.6	193.122.130.0
Mar 13, 2025 13:49:06.581201077 CET	49691	80	192.168.2.6	193.122.130.0
Mar 13, 2025 13:49:06.585947037 CET	80	49691	193.122.130.0	192.168.2.6
Mar 13, 2025 13:49:07.418726921 CET	80	49691	193.122.130.0	192.168.2.6
Mar 13, 2025 13:49:07.423113108 CET	49691	80	192.168.2.6	193.122.130.0
Mar 13, 2025 13:49:07.427917004 CET	80	49691	193.122.130.0	192.168.2.6
Mar 13, 2025 13:49:07.935919046 CET	80	49691	193.122.130.0	192.168.2.6
Mar 13, 2025 13:49:07.949599028 CET	49692	443	192.168.2.6	104.21.48.1
Mar 13, 2025 13:49:07.949656963 CET	443	49692	104.21.48.1	192.168.2.6
Mar 13, 2025 13:49:07.949718952 CET	49692	443	192.168.2.6	104.21.48.1
Mar 13, 2025 13:49:07.956753016 CET	49692	443	192.168.2.6	104.21.48.1
Mar 13, 2025 13:49:07.956763983 CET	443	49692	104.21.48.1	192.168.2.6
Mar 13, 2025 13:49:07.986612082 CET	49691	80	192.168.2.6	193.122.130.0
Mar 13, 2025 13:49:09.607892990 CET	443	49692	104.21.48.1	192.168.2.6
Mar 13, 2025 13:49:09.609833956 CET	49692	443	192.168.2.6	104.21.48.1
Mar 13, 2025 13:49:09.614062071 CET	49692	443	192.168.2.6	104.21.48.1
Mar 13, 2025 13:49:09.614079952 CET	443	49692	104.21.48.1	192.168.2.6
Mar 13, 2025 13:49:09.614329100 CET	443	49692	104.21.48.1	192.168.2.6
Mar 13, 2025 13:49:09.658596992 CET	49692	443	192.168.2.6	104.21.48.1
Mar 13, 2025 13:49:09.679825068 CET	49692	443	192.168.2.6	104.21.48.1
Mar 13, 2025 13:49:09.724323988 CET	443	49692	104.21.48.1	192.168.2.6
Mar 13, 2025 13:49:10.167849064 CET	443	49692	104.21.48.1	192.168.2.6
Mar 13, 2025 13:49:10.187875986 CET	443	49692	104.21.48.1	192.168.2.6
Mar 13, 2025 13:49:10.187975883 CET	49692	443	192.168.2.6	104.21.48.1
Mar 13, 2025 13:49:10.198693037 CET	49692	443	192.168.2.6	104.21.48.1
Mar 13, 2025 13:50:12.937447071 CET	80	49691	193.122.130.0	192.168.2.6
Mar 13, 2025 13:50:12.937509060 CET	49691	80	192.168.2.6	193.122.130.0
Mar 13, 2025 13:50:47.940028906 CET	49691	80	192.168.2.6	193.122.130.0
Mar 13, 2025 13:50:47.944812059 CET	80	49691	193.122.130.0	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 13, 2025 13:49:06.529130936 CET	64033	53	192.168.2.6	1.1.1.1
Mar 13, 2025 13:49:06.536082029 CET	53	64033	1.1.1.1	192.168.2.6
Mar 13, 2025 13:49:07.940937042 CET	52988	53	192.168.2.6	1.1.1.1
Mar 13, 2025 13:49:07.948860884 CET	53	52988	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 13, 2025 13:49:06.529130936 CET	192.168.2.6	1.1.1.1	0x9cc9	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Mar 13, 2025 13:49:07.940937042 CET	192.168.2.6	1.1.1.1	0x759b	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 13, 2025 13:49:06.536082029 CET	1.1.1.1	192.168.2.6	0x9cc9	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 13, 2025 13:49:06.536082029 CET	1.1.1.1	192.168.2.6	0x9cc9	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Mar 13, 2025 13:49:06.536082029 CET	1.1.1.1	192.168.2.6	0x9cc9	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Mar 13, 2025 13:49:06.536082029 CET	1.1.1.1	192.168.2.6	0x9cc9	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Mar 13, 2025 13:49:06.536082029 CET	1.1.1.1	192.168.2.6	0x9cc9	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Mar 13, 2025 13:49:06.536082029 CET	1.1.1.1	192.168.2.6	0x9cc9	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Mar 13, 2025 13:49:07.948860884 CET	1.1.1.1	192.168.2.6	0x759b	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Mar 13, 2025 13:49:07.948860884 CET	1.1.1.1	192.168.2.6	0x759b	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Mar 13, 2025 13:49:07.948860884 CET	1.1.1.1	192.168.2.6	0x759b	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Mar 13, 2025 13:49:07.948860884 CET	1.1.1.1	192.168.2.6	0x759b	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Mar 13, 2025 13:49:07.948860884 CET	1.1.1.1	192.168.2.6	0x759b	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Mar 13, 2025 13:49:07.948860884 CET	1.1.1.1	192.168.2.6	0x759b	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Mar 13, 2025 13:49:07.948860884 CET	1.1.1.1	192.168.2.6	0x759b	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49691	193.122.130.0	80	7160	C:\Users\user\Desktop\Bank Swift Payment.bat.exe

Timestamp	Bytes transferred	Direction	Data
Mar 13, 2025 13:49:06.581201077 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Mar 13, 2025 13:49:07.418726921 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 13 Mar 2025 12:49:07 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 377a793b87f4bed38c1839fd6c77e878 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Mar 13, 2025 13:49:07.423113108 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Mar 13, 2025 13:49:07.935919046 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 13 Mar 2025 12:49:07 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: af68d77effcb9afbb31f033daeaba210 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49692	104.21.48.1	443	7160	C:\Users\user\Desktop\Bank Swift Payment.bat.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-13 12:49:09 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-03-13 12:49:10 UTC	849	IN	HTTP/1.1 200 OK Date: Thu, 13 Mar 2025 12:49:09 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 13295 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Thu, 13 Mar 2025 09:07:34 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wVz71X8KFezMRIuw7SgPSFunFtuVMnoGhstG0S4aj14J3I4Tm1DUTu3yIX5sKeyeksjOcrGj8Gm7FivvWRn2TkzqVgFACViuz8gGMZqgJUx0e9zxd2SQiyjRfG0tpOCxsWAaZIxS"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91fba6553d22bf6e-ATL alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=18716&min_rtt=18020&rtt_var=6453&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=123281&cwnd=240&unsent_bytes=0&cid=1860c0d7e2d8cb2d&ts=700&x=0"
2025-03-13 12:49:10 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	0
Start time:	08:49:04
Start date:	13/03/2025
Path:	C:\Users\user\Desktop\Bank Swift Payment.bat.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Bank Swift Payment.bat.exe"
Imagebase:	0x310000
File size:	517'632 bytes
MD5 hash:	6157BD9E1F8F34619E222262A71B79CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.1228970125.000000000374C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MSILLogger, Description: Yara detected MSIL Logger, Source: 00000000.00000002.1228970125.000000000374C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1228970125.000000000374C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1228970125.000000000374C000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	08:49:05
Start date:	13/03/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bank Swift Payment.bat.exe"
Imagebase:	0xa50000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	08:49:05
Start date:	13/03/2025
Path:	C:\Users\user\Desktop\Bank Swift Payment.bat.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Bank Swift Payment.bat.exe"
Imagebase:	0x3f0000
File size:	517'632 bytes
MD5 hash:	6157BD9E1F8F34619E222262A71B79CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	08:49:05
Start date:	13/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68dae0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	08:49:05
Start date:	13/03/2025
Path:	C:\Users\user\Desktop\Bank Swift Payment.bat.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Bank Swift Payment.bat.exe"
Imagebase:	0x720000
File size:	517'632 bytes
MD5 hash:	6157BD9E1F8F34619E222262A71B79CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000006.00000002.2450189057.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MSILLogger, Description: Yara detected MSIL Logger, Source: 00000006.00000002.2450189057.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000002.2450189057.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000006.00000002.2450189057.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	29
Total number of Limit Nodes:	4

Executed Functions

Function 02553E1C Relevance: 2.2, Strings: 1, Instructions: 955
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

2, xrefs: 02557CB3

Memory Dump Source

Source File: 00000000.00000002.1228313941.0000000002550000.00000040.00000800.00020000.00000000.sdmp, Offset: 02550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2550000_Bank Swift Payment.jbxd

Similarity

API ID:
String ID: 2
API String ID: 0-450215437
Opcode ID: 512f91e05e883fb350d4232ff27ebd9d6861267014771c360d97c467b5ec2723
Instruction ID: 109fa9b7d3de4abfe24661a4bbf8775bd15c64b43c1df347b3a590f8250f9885
Opcode Fuzzy Hash: 512f91e05e883fb350d4232ff27ebd9d6861267014771c360d97c467b5ec2723
Instruction Fuzzy Hash: 17B28074A012298FDB65DF68C998BDDBBB2FB49300F1085EAD809A7355DB309E81CF51

Function 0255EF78 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0255EFF6
GetCurrentThread.KERNEL32 ref: 0255F033
GetCurrentProcess.KERNEL32 ref: 0255F070
GetCurrentThreadId.KERNEL32 ref: 0255F0C9

Memory Dump Source

Source File: 00000000.00000002.1228313941.0000000002550000.00000040.00000800.00020000.00000000.sdmp, Offset: 02550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2550000_Bank Swift Payment.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 254e308b686917f83ba7290ff1b784144ac3a0cf171380469fbe7d99ca072c45
Instruction ID: ea8f62bb6ebb222275678ee23d1448f7d7a7a6b45ae81acdba2f45ccac4bf274
Opcode Fuzzy Hash: 254e308b686917f83ba7290ff1b784144ac3a0cf171380469fbe7d99ca072c45
Instruction Fuzzy Hash: 665163B19012098FEB14DFAAD548BAEBFF1EF48304F24805AE419A73A1C734A944CB65

Function 0255590C Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 025559C9

Memory Dump Source

Source File: 00000000.00000002.1228313941.0000000002550000.00000040.00000800.00020000.00000000.sdmp, Offset: 02550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2550000_Bank Swift Payment.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 26e7e3b4ce18b3df2ef532a01c25ec93c48b78027c14645deff702a329fa33a3
Instruction ID: 44b19040a6c078fe051615f9e09ae67a8844597b002be40ce929d005d79a9127
Opcode Fuzzy Hash: 26e7e3b4ce18b3df2ef532a01c25ec93c48b78027c14645deff702a329fa33a3
Instruction Fuzzy Hash: F341E071C00619CBDB24CFA9C884BCEBBB6BF48304F60806AD819AB251DB756949CF64

Function 0255449C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 025559C9

Memory Dump Source

Source File: 00000000.00000002.1228313941.0000000002550000.00000040.00000800.00020000.00000000.sdmp, Offset: 02550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2550000_Bank Swift Payment.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 94d6c9b5311ab8b9dd4380e8dcfe9db4f9cc9cd09eb8c88d22d76e91c1d9692f
Instruction ID: 44ece52ff677000bc1b7c5e478155f166e947901dbd8869de33fcae9cb188811
Opcode Fuzzy Hash: 94d6c9b5311ab8b9dd4380e8dcfe9db4f9cc9cd09eb8c88d22d76e91c1d9692f
Instruction Fuzzy Hash: 7E41D071C00619CBDB24CFA9C884ADEBBF5BF48304F60846AD818BB251DB756945CFA4

Function 0255F1C0 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0255F247

Memory Dump Source

Source File: 00000000.00000002.1228313941.0000000002550000.00000040.00000800.00020000.00000000.sdmp, Offset: 02550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2550000_Bank Swift Payment.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: af4e477549d47a8c55dfb32f1523dfd3165223433a40dd600b2737d40fcdc650
Instruction ID: 02aabb672e19e1231d47aa67cf2dcf1e84f2f10b3a33013c61f4cd75d1e69ac8
Opcode Fuzzy Hash: af4e477549d47a8c55dfb32f1523dfd3165223433a40dd600b2737d40fcdc650
Instruction Fuzzy Hash: B521E4B59002099FDB10CFAAD984ADEBFF5FB48310F14841AE914B7310D374A950CFA4

Function 0255CDB8 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0255CE1E

Memory Dump Source

Source File: 00000000.00000002.1228313941.0000000002550000.00000040.00000800.00020000.00000000.sdmp, Offset: 02550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2550000_Bank Swift Payment.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 6f0fd3e253ff3d582b32e7ebd9af5f82b576083c6899f1867c3a3dfd4a6893ba
Instruction ID: cbfaefaee7b2b87f4208e3f26a37a488ddabe027333a15e069081efbc8280602
Opcode Fuzzy Hash: 6f0fd3e253ff3d582b32e7ebd9af5f82b576083c6899f1867c3a3dfd4a6893ba
Instruction Fuzzy Hash: 5A110FB6C003498FCB20CF9AD444ADEFBF4EB88314F14841AD819B7200C375A545CFA5

Function 0240D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1228038806.000000000240D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0240D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240d000_Bank Swift Payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c29e565373498c34c52890644c567bf6e1b071c035956044407b169bbf9e93f
Instruction ID: 775f6e5dd5abccf2e84be636cd38f736fda4409929177eafd22ce722d10f8559
Opcode Fuzzy Hash: 4c29e565373498c34c52890644c567bf6e1b071c035956044407b169bbf9e93f
Instruction Fuzzy Hash: D7210671904204DFDB09DF54D9C0B17BF65FB88324F24C17AE9090B396C33AE49ACAA2

Function 0241D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1228090597.000000000241D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0241D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_241d000_Bank Swift Payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bdd068736e679f7ec52b35b2ab4907ac7bcad210e507e1da10122df86c5c34e
Instruction ID: 20c73949a5b6bd951278995d29e8b71539e873d1046c2068a38b04972419218a
Opcode Fuzzy Hash: 0bdd068736e679f7ec52b35b2ab4907ac7bcad210e507e1da10122df86c5c34e
Instruction Fuzzy Hash: 3C2104B1A04240EFDB09DF14D9C0B26BBA5FB88314F24C66EE9094F356C33AD846CA61

Function 0241D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1228090597.000000000241D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0241D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_241d000_Bank Swift Payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8da0116f9fd8693bd761d1267c7194eaabc55b20f69f84faf7e923a6599acb95
Instruction ID: df9da40a5e6fb5df80a79b576eab900b7fd3acaf21d289559f48bb3a8647c9b5
Opcode Fuzzy Hash: 8da0116f9fd8693bd761d1267c7194eaabc55b20f69f84faf7e923a6599acb95
Instruction Fuzzy Hash: 9121F2B5A04240DFDB15DF14D980B16BFA5EB88318F24C56EE90A4B356C33BD847CA61

Function 0241D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1228090597.000000000241D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0241D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_241d000_Bank Swift Payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e9e34a647a6fcc772ed42c55c1a1ce594412af5869cb941c7e24fb12ffd0c9c
Instruction ID: 490af37f8ed48cc7804f60378b6d8db68edc7c59f64a9d523669559ba7f3c94c
Opcode Fuzzy Hash: 4e9e34a647a6fcc772ed42c55c1a1ce594412af5869cb941c7e24fb12ffd0c9c
Instruction Fuzzy Hash: B2218075509380CFDB06CF24D590716BF71EB46218F28C5DBD8498B2A7C33A980ACB62

Function 0240D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1228038806.000000000240D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0240D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240d000_Bank Swift Payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 726c272ddf9d1372811d05ee45faf9f1355dce0f31623ae56098829c69daa6df
Instruction ID: f63652b176b6d31020bea77f359deaa2448d9cc8432eb0ff4171bd34ce993313
Opcode Fuzzy Hash: 726c272ddf9d1372811d05ee45faf9f1355dce0f31623ae56098829c69daa6df
Instruction Fuzzy Hash: 7311D376904240DFDB16CF54D9C4B16BF71FB84324F28C6AAD9090B756C33AE45ACBA1

Function 0241D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1228090597.000000000241D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0241D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_241d000_Bank Swift Payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0f503f778aeac3a07bb6588130c9135d0a53f708ec3930929eee3262ecda282
Instruction ID: c761f6de7c46eefccdcb5992d50883d5d1cab5faf7a7f988ade5bc5bbbe862fa
Opcode Fuzzy Hash: e0f503f778aeac3a07bb6588130c9135d0a53f708ec3930929eee3262ecda282
Instruction Fuzzy Hash: 77118BB5904280DFDB1ACF14D5C4B16BBA1FB84314F28C6AAD8494F796C33AD45ACB61

Function 0240D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1228038806.000000000240D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0240D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240d000_Bank Swift Payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f9c1095352646a4c5daa3429c802214756b12f27dbb8a7ebb0316902be077f8
Instruction ID: bca81644e4507f0946eea97ae72d6b4742a3316c60c21dafa48258abe93388df
Opcode Fuzzy Hash: 4f9c1095352646a4c5daa3429c802214756b12f27dbb8a7ebb0316902be077f8
Instruction Fuzzy Hash: 4001D431504B40DAE7115E69CDC4B67BB98DF85234F18853BED081B3C6D779A489CA71

Function 0240D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1228038806.000000000240D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0240D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240d000_Bank Swift Payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89b4eb9eaf11237748d50f00d503974393fa14df467619a75c5e2a796d8e2855
Instruction ID: 020d3a45b9ff894f265214d4d7884ec1309b83a4afc309eaad30784128b538b2
Opcode Fuzzy Hash: 89b4eb9eaf11237748d50f00d503974393fa14df467619a75c5e2a796d8e2855
Instruction Fuzzy Hash: 04F06275505644AEE7108F19D9C4B63FFD8EB85634F18C46BED085B386C379A844CBB1

Analysis Process: Bank Swift Payment.bat.exePID: 7160, Parent PID: 6932COMMON

Executed Functions

Function 01052DD1 Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2451923108.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1050000_Bank Swift Payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ca518a61020850cadad1dba5cee72794cdc0511ecacf96bc612267cfe103da7
Instruction ID: 3c8aebbed504d4deb03142b645c126fa894a8d213b3e90825b30f6bb3c841a92
Opcode Fuzzy Hash: 8ca518a61020850cadad1dba5cee72794cdc0511ecacf96bc612267cfe103da7
Instruction Fuzzy Hash: 4FE17075E00208DFDB88DFB9D8586AEBBB2BF88350B148429E846FB355DF349805CB51

Function 0105A010 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2451923108.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1050000_Bank Swift Payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69ae7b7eb1b7414a4920adae6ae4dbd39d01a2d77b4d2a651bfaf557ff22c5d3
Instruction ID: f4e2cbe5327c6ae2e9a6534c9b5becf11ea071e436942523e3129a3e189b8a44
Opcode Fuzzy Hash: 69ae7b7eb1b7414a4920adae6ae4dbd39d01a2d77b4d2a651bfaf557ff22c5d3
Instruction Fuzzy Hash: 0FC1C278E01218CFDB54DFA5D994B9DBBB2FF88304F1081AAD809AB355DB359A85CF10

Function 0105A470 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2451923108.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1050000_Bank Swift Payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db658f1bea4aabd8eb582da465bd1fc60bf38281113c8991e5f36e325c84de51
Instruction ID: 667a145b23a6348f028c89265f27cdae00d3a8be3a792928887b88ae9f5080d7
Opcode Fuzzy Hash: db658f1bea4aabd8eb582da465bd1fc60bf38281113c8991e5f36e325c84de51
Instruction Fuzzy Hash: 94A10474E00208CFEB54DFA9C948B9DBBB1FF88314F208269E549A72A1DB759985CF50

Function 0105A7B7 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2451923108.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1050000_Bank Swift Payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d44f333cdd129515f281c3c4569abc144049c6ce2bf0649426be2b43defaeda2
Instruction ID: ea759b5c744d8a2a65cd99c4258b018e73a3b63527cb78ae96852baa8bd27254
Opcode Fuzzy Hash: d44f333cdd129515f281c3c4569abc144049c6ce2bf0649426be2b43defaeda2
Instruction Fuzzy Hash: BA91F574E00208CFEB50DFA8C944BADBBF1FF89314F248299E549A7292DB759985CF14

Function 0105A000 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2451923108.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1050000_Bank Swift Payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdabec34ff0a2a9b5b8bf08657c444bbc743dce65bc36e1b734c25cac5053d26
Instruction ID: 4827bb35f3102c5280d1aa58fb6c8ec76bcb661cf7f3078b4a304598d5b48ed0
Opcode Fuzzy Hash: bdabec34ff0a2a9b5b8bf08657c444bbc743dce65bc36e1b734c25cac5053d26
Instruction Fuzzy Hash: 9C41E474E01248CBEB58DFAAD94479EFBF2AFC8300F20D12AD819AB255DB348945CF54

Function 01053F78 Relevance: 3.9, Strings: 3, Instructions: 125COMMON

Download Yara Rule

Strings

Ljhp, xrefs: 01054078
0ohp, xrefs: 01053FDA
Ljhp, xrefs: 01054088

Memory Dump Source

Source File: 00000006.00000002.2451923108.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1050000_Bank Swift Payment.jbxd

Similarity

API ID:
String ID: 0ohp$Ljhp$Ljhp
API String ID: 0-1378888368
Opcode ID: 914ba0062d8a0c245b8ce114fe62135e785c2a36a49e35eda7c8d0b0316ba915
Instruction ID: 3b071ebd2862c0a69fe2db4133290e9c1b98102e213c08b03d4f2f62ca4cbe8d
Opcode Fuzzy Hash: 914ba0062d8a0c245b8ce114fe62135e785c2a36a49e35eda7c8d0b0316ba915
Instruction Fuzzy Hash: 7251E674E00208CFDB84DFAAD58499DBBF2BF89310F209469E815BB365EB349945CF10

Function 0105B598 Relevance: 1.5, Strings: 1, Instructions: 284COMMON

Download Yara Rule

Strings

, xrefs: 0105B695

Memory Dump Source

Source File: 00000006.00000002.2451923108.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1050000_Bank Swift Payment.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 23bf4fe3eabf2aadb3a64f08a1190be1763f87c10b85e3dacbfaf4ad5c173ba4
Instruction ID: 6914ffa38b4768eaacada8f50177e031b152bb71433350304fa5050b09a2d4f4
Opcode Fuzzy Hash: 23bf4fe3eabf2aadb3a64f08a1190be1763f87c10b85e3dacbfaf4ad5c173ba4
Instruction Fuzzy Hash: 7FA1D130B006049FDBA59F78945866E3AE3EFC8320F14456AE9969B3D1DF35DD02CB61

Function 0105D6A8 Relevance: .8, Instructions: 786COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2451923108.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1050000_Bank Swift Payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 485083cfd55a8baf366840741d6332ac49277eda7bbd3927d5d7070ebc0161c0
Instruction ID: 7169a4e5d935e9a5051e33821df4fea05e1ae962f4f739e554f57d0fbe25cdfe
Opcode Fuzzy Hash: 485083cfd55a8baf366840741d6332ac49277eda7bbd3927d5d7070ebc0161c0
Instruction Fuzzy Hash: 15623234A00218CFEB559FA4C864B9EBBB6EF84300F1080A9D54A77395DF399E45DF61

Function 010519B8 Relevance: .7, Instructions: 683COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2451923108.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1050000_Bank Swift Payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40ec11378b7f03c72dd18e401238d54467a4c37aa7fe92ccff1a2cbfc9e274a9
Instruction ID: 009040c133fc0d67e1857aa2ab29847b04e0085a30ed60fcd18f5f8124d3f58c
Opcode Fuzzy Hash: 40ec11378b7f03c72dd18e401238d54467a4c37aa7fe92ccff1a2cbfc9e274a9
Instruction Fuzzy Hash: CD42FDB3A553958BC796CF58D86629DBFF1EFB0328BAA445DD4C0D2642F77A8880C740

Function 0105CB68 Relevance: .4, Instructions: 435COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2451923108.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1050000_Bank Swift Payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f7d07af257eddc8e2dc9f822a818f5c6f8e9d13480be59c3fc80108cb3ea747
Instruction ID: 1f6f909b45f7a89b141e67198e72d6ed6aaa67489d92605f4b5941ef909ccd50
Opcode Fuzzy Hash: 9f7d07af257eddc8e2dc9f822a818f5c6f8e9d13480be59c3fc80108cb3ea747
Instruction Fuzzy Hash: BF029174A0020ADFDB95CFA8C988AAFBBF6FF48344F158555E885EB251C730E881CB55

Function 0105BB30 Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2451923108.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1050000_Bank Swift Payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 198b8bad6e67ce1a64b4ec7b62f3356cb6a37914cbb99d51a871633f37e93a48
Instruction ID: 185bf47107071d5e9a97bf17a439ef5ee5a0565c272fdd8302ff2359016f2d89
Opcode Fuzzy Hash: 198b8bad6e67ce1a64b4ec7b62f3356cb6a37914cbb99d51a871633f37e93a48
Instruction Fuzzy Hash: 99D1C430B001048FDB95DB6CC850AAE7BE7EF89320F1445A5E945EB392CE75ED41CBA1

Function 01050B20 Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2451923108.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1050000_Bank Swift Payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de1aa45321b08d4209fe58aaa66b93da804009314884a9faf9f677a56a66a0d7
Instruction ID: 4b593474edcfda6c1ae1a2e1da1df1ef64d51c0de67d4d967529705ee7949688
Opcode Fuzzy Hash: de1aa45321b08d4209fe58aaa66b93da804009314884a9faf9f677a56a66a0d7
Instruction Fuzzy Hash: 35A1FD74E00249CFCF45EFA8E99499D7BB1FB88309F104569D409AB7AADB386D05CF90

Function 0105C5A7 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2451923108.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1050000_Bank Swift Payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b58ed4b1422e08e2fa8524957258b4f92bae825ca05a8d32400cf6997b57a712
Instruction ID: 995bc11bb5ff300ee58ab57f4d93c818904450ce26d10de8edf29fa9e115c83f
Opcode Fuzzy Hash: b58ed4b1422e08e2fa8524957258b4f92bae825ca05a8d32400cf6997b57a712
Instruction Fuzzy Hash: 27510372A007059FD7948A7CDC44AABBBFDFBC8324F14856AE999D7340D730E90187A0

Function 01050B30 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2451923108.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1050000_Bank Swift Payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3487b43e2446a7d7f07127d1ba56333e0170049f9dc2b984dcebe9df48464cdd
Instruction ID: cb7e89727c3bf88676e725aa21dbdbbace85a2d760b8e8fd9dbdb2e66130abec
Opcode Fuzzy Hash: 3487b43e2446a7d7f07127d1ba56333e0170049f9dc2b984dcebe9df48464cdd
Instruction Fuzzy Hash: BEA1DC74E00209CFCF45EFA8EA9499D7BB1FB88345F104529D409BB7AADB386945CF90

Function 0105D359 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2451923108.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1050000_Bank Swift Payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 992729f83535cb82ee567ddbd722158cfcd1bac552712e748b71d51ebc261e12
Instruction ID: b5ad98ee5eb3e032366e89d892363e40ea9b611edfa9a9ad5079266db67adf4f
Opcode Fuzzy Hash: 992729f83535cb82ee567ddbd722158cfcd1bac552712e748b71d51ebc261e12
Instruction Fuzzy Hash: 785190317101158FDB94DFBDD884A6F7FEAEF8965430584ABE986CB262DB30EC018B50

Function 0105C2D0 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2451923108.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1050000_Bank Swift Payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afc37fa5ea97a160414b19718c9ae05cfa72dd57238fff95295537959f3fa999
Instruction ID: 3788c794433a82bd88d3738f040b6514ed44b780420727783315bc82c27d5085
Opcode Fuzzy Hash: afc37fa5ea97a160414b19718c9ae05cfa72dd57238fff95295537959f3fa999
Instruction Fuzzy Hash: F231B831B012099FC744EBB8D855AAF7BEAEB88340F144479E949D7341DE31DE02C7A0

Function 0105D168 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2451923108.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1050000_Bank Swift Payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8cc4e9e5680d7c30fdc437cb975dd313ff63913cec653ffa93f6b286442ef5e
Instruction ID: 1c8752d9d5888833a2b1c5bcedc73ea77598ce5fb62e6553716dffe9b96b5cc7
Opcode Fuzzy Hash: e8cc4e9e5680d7c30fdc437cb975dd313ff63913cec653ffa93f6b286442ef5e
Instruction Fuzzy Hash: 5A416734600119DFDB55DFA9C998AAE7BB6FB88361F1000AAF945DB3A1CB34DD41CB90

Function 01053168 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2451923108.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1050000_Bank Swift Payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5538c64855c6cc86fbb8d2e0d9917bc5f2b6f9d58deba29a6ffcdc1d8be085fd
Instruction ID: 07a7e10954417962bb7a0e9d799159def58ececd46d9c95d09ca5de72fc16767
Opcode Fuzzy Hash: 5538c64855c6cc86fbb8d2e0d9917bc5f2b6f9d58deba29a6ffcdc1d8be085fd
Instruction Fuzzy Hash: 6041C274E01208DFDB48DFAAD984A9EBBF2BF89300F249529E805BB364DB345945CF14

Function 010599D0 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2451923108.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1050000_Bank Swift Payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e3dc807403b01604bbca27a3dbee802e179896783614cca9bb83488ba26cbfe
Instruction ID: f5ce9c69b9759a0737b4741e8068e7fb4f1131339201b79b177ed47d72244ce4
Opcode Fuzzy Hash: 7e3dc807403b01604bbca27a3dbee802e179896783614cca9bb83488ba26cbfe
Instruction Fuzzy Hash: 4731CA398E32129FD2402B24A6AC13E7AB6FBCF7377407D42E11ED1011DF36D1668A56

Function 0105BE99 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2451923108.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1050000_Bank Swift Payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe8cba8f60fcce42ae4cc5bf3a9c21242e88f26fe7502bb22ee9593e962b5b4e
Instruction ID: b10408f5d05c8b661efba695cf6540fae34755e9bc00dc09e04b4602ab4e7897
Opcode Fuzzy Hash: fe8cba8f60fcce42ae4cc5bf3a9c21242e88f26fe7502bb22ee9593e962b5b4e
Instruction Fuzzy Hash: AE31FC35B001058FCB85DBA8C490E9E7BF2EF88324F595594E501EB362DA71ED85CBA1

Function 0105BECD Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2451923108.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1050000_Bank Swift Payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c62545515c8593306c195aad3370184575df9d7875e5f81331ba2a6d73ac4eb5
Instruction ID: c8c1d2c465e57fdfef8455e8f77e3d6e5d878c10b4414cf8fa2a1effc154ccc9
Opcode Fuzzy Hash: c62545515c8593306c195aad3370184575df9d7875e5f81331ba2a6d73ac4eb5
Instruction Fuzzy Hash: F9312C35B001058FCB85DBA8C490EDE7BF2EF88324F595594E501EB362CA71ED85CBA0

Function 0105D589 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2451923108.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1050000_Bank Swift Payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d84e957cc5ab8249931fdd2525bab163c1e054b102428078ceaaff085766b1a
Instruction ID: e0acea16be9c0fbc115ae55a13653c3a93886c29966f2e375a7544cc3bcb6260
Opcode Fuzzy Hash: 2d84e957cc5ab8249931fdd2525bab163c1e054b102428078ceaaff085766b1a
Instruction Fuzzy Hash: 5221F5313002068BDB962AB9C88473F36DBAFCC714B14407ADD4AD7386DE29C843A7B1

Function 0105D598 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2451923108.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1050000_Bank Swift Payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 670d80a1d138980a43556512450211cf9b226ffa873d6393002dfd6da2a4203f
Instruction ID: b99110902962e5bf97fff7cbcbbedd4ea730d230b20154ade55afc0fddb00c6b
Opcode Fuzzy Hash: 670d80a1d138980a43556512450211cf9b226ffa873d6393002dfd6da2a4203f
Instruction Fuzzy Hash: 9921D0313002028BDBA666A9C85473F26D7AFC8714F14807ADD5ACB386DE29CC83D3A1

Function 0105C411 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2451923108.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1050000_Bank Swift Payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec68f027e6d093f3b70b662c2a242db4650cd06ef08cbb901ea6170ecf8d663a
Instruction ID: ae6cfeca6b60986ae3e4f7b63dd6bdc2fec2ddf1301903c47172580ca83602c7
Opcode Fuzzy Hash: ec68f027e6d093f3b70b662c2a242db4650cd06ef08cbb901ea6170ecf8d663a
Instruction Fuzzy Hash: 1A21E131A052459FDB44DA78C951AAF7FAAFBC4300F248469E88697351CE318E06CB50

Function 0105D4A0 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2451923108.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1050000_Bank Swift Payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc88ed40682d271db470588216f26c968a6ffad0e2cb75e13205d7628edc4be9
Instruction ID: de708734deb2046fbf0610d555b546ddf5e7fa1a535bd638adb3cee1d3c1d83d
Opcode Fuzzy Hash: dc88ed40682d271db470588216f26c968a6ffad0e2cb75e13205d7628edc4be9
Instruction Fuzzy Hash: 8621E2317041558BDB95CFAAA980ABF7FEAEB8524CF148467FD92C7240DB30D840CB60

Function 00E7D005 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2451042956.0000000000E7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e7d000_Bank Swift Payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cae7a5308ffc56cdd4054754125597d3c34fbf8722d31bc92ed48908c5df5594
Instruction ID: ab263e5ff6cf601bd9b2d8c05868ec2a9137c49bd0829a646b8c0bebfb8283cc
Opcode Fuzzy Hash: cae7a5308ffc56cdd4054754125597d3c34fbf8722d31bc92ed48908c5df5594
Instruction Fuzzy Hash: C7316D7550D3C49FCB03CB24D990711BF71AF46214F29C5EBD8898F2A7C23A980ACB62

Function 010518C8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2451923108.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1050000_Bank Swift Payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18fd267511c1c4ec415631a4050821a82b2fd30220d0058d9e3f0378350c758f
Instruction ID: c98704bfb5f0c788f6e659f8f881f6fea0a3b0de3c07e02a0fa92f6651839af4
Opcode Fuzzy Hash: 18fd267511c1c4ec415631a4050821a82b2fd30220d0058d9e3f0378350c758f
Instruction Fuzzy Hash: A7219035A00216DFCF95DBA8C440AEF77B5EFC9260B60C459DD599B280EB30EA06CB91

Function 00E7D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2451042956.0000000000E7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e7d000_Bank Swift Payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 552c72a7e7195d34d76de26d7f1b62426db345f813fe5a97f7a612ba83dcea11
Instruction ID: dc1944483e9a8fc92c48d56d4a4e46bb99bb7752ddd82351419c166a48630552
Opcode Fuzzy Hash: 552c72a7e7195d34d76de26d7f1b62426db345f813fe5a97f7a612ba83dcea11
Instruction Fuzzy Hash: 80212271508204DFCB15DF14DD80B26BBB6FF84318F24D569E80E2B296C33AD807CA62

Function 01050EC8 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2451923108.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1050000_Bank Swift Payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58a9e969bc01856672a37fdaedb4331a58221743945715301f33f4f17c9e7253
Instruction ID: 4313d72040197b6aadc4946e0d24e03c4902ec4faf74249212bcd3499df17226
Opcode Fuzzy Hash: 58a9e969bc01856672a37fdaedb4331a58221743945715301f33f4f17c9e7253
Instruction Fuzzy Hash: ED219270E04208DFDB45EFB9D4106AEBBB2EF85304F10C0A9D854AB396DB785A05CF51

Function 010517B8 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2451923108.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1050000_Bank Swift Payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfda312ec4bd01ed309bece9b24d3b071815639dc85322cdd2cf578311a62915
Instruction ID: d76fbc9cb18290c5ea33f0ccdd53475b115c7f9e01c5eb41ddb0551ee27c4353
Opcode Fuzzy Hash: dfda312ec4bd01ed309bece9b24d3b071815639dc85322cdd2cf578311a62915
Instruction Fuzzy Hash: 9921F470C0524A8FDB42DFB9C8445EEBFF4AF0A214F1441AAD445FB261E7395A89CBA1

Function 010593D0 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2451923108.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1050000_Bank Swift Payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5c96f907a31c2cc2f97d1d2fc2e19ad35871df7b246254b1221527efdcc160e
Instruction ID: 801577bc36c6ce72bb2a345b9f23da6725315332cf365f33f08633aeac87c7d3
Opcode Fuzzy Hash: c5c96f907a31c2cc2f97d1d2fc2e19ad35871df7b246254b1221527efdcc160e
Instruction Fuzzy Hash: 3421DFB4E01219DFCB40DFA8C580AAEBFF1EB49304F1080A9E855AB361DB34AA45CF51

Function 0105C180 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2451923108.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1050000_Bank Swift Payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9624977db5cdb3924d63e05f3a73189a387b69fb381713879fbd1f8c778d4bc
Instruction ID: d6c72615e75df8a685e0042181f67dd912002aa0d50c700c0d110a7d21a39aa4
Opcode Fuzzy Hash: e9624977db5cdb3924d63e05f3a73189a387b69fb381713879fbd1f8c778d4bc
Instruction Fuzzy Hash: 34115175300204CFD794DB69DA84E57B7EAFF89761F2084A9E94ACB361CA71EC04CB64

Function 0105C740 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2451923108.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1050000_Bank Swift Payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a9c347f0fa3937075434a3e563144426eeeedd7d75cac980d2e05577335f97d
Instruction ID: 0109e1fb872e4a7cda6763bbbcae6499ba89391ac29ca496e65e59dda05a923d
Opcode Fuzzy Hash: 3a9c347f0fa3937075434a3e563144426eeeedd7d75cac980d2e05577335f97d
Instruction Fuzzy Hash: 79118636E0030A8BDB94EFB895445EFBBFABF88610B144539D958E3700DB35DD418BA1

Function 01054850 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2451923108.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1050000_Bank Swift Payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9e4aab8074af1bc3e1ac0eca08117c29a2948aedd2d7072cce2a1374bed351b
Instruction ID: 5ea77952e6f5079fb915e6b627fc156af41cd79dfe58cec0b43141009ee01fd2
Opcode Fuzzy Hash: b9e4aab8074af1bc3e1ac0eca08117c29a2948aedd2d7072cce2a1374bed351b
Instruction Fuzzy Hash: C0012832F042418FD7655BB988546BF3BEBAFC4124714407ADE05CB355FD74C8408790

Function 01054860 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2451923108.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1050000_Bank Swift Payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00630e51dd0c7798327e3567513234656db3bafb683026010c80a9c25a7f6dbb
Instruction ID: 41612ee38349781b6b340c0d0a5716e86422d91dd1ed4ffa5a0435a60f1c4981
Opcode Fuzzy Hash: 00630e51dd0c7798327e3567513234656db3bafb683026010c80a9c25a7f6dbb
Instruction Fuzzy Hash: 9E01D132F002118FD768ABBA884867F76EBAFC4564360447ADE05C7359FE71CC0087A0

Function 0105C521 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2451923108.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1050000_Bank Swift Payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d21d79a28bb1a2cf19a9aa8edb6490aff32e52c232b594ba9ca7050d542622e7
Instruction ID: b1f4c989722090b7f1f5fa5609da0b8a9ee5a78241e204185a672421c8edaec4
Opcode Fuzzy Hash: d21d79a28bb1a2cf19a9aa8edb6490aff32e52c232b594ba9ca7050d542622e7
Instruction Fuzzy Hash: 74012676B042908BEB062BB89D1847F3FDAEBC53117184863F646CB742DE29CD62C751

Function 0105AF28 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2451923108.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1050000_Bank Swift Payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a94bc25f2fa0b0836720fd0c9b6d66dbc81a222600d1ed3240146e8fc74bb541
Instruction ID: 2e30866bf78f73110b57f2f93d2387b6f745716f1d10d91a34d0b86cb58a4e78
Opcode Fuzzy Hash: a94bc25f2fa0b0836720fd0c9b6d66dbc81a222600d1ed3240146e8fc74bb541
Instruction Fuzzy Hash: F1017575A01119AFCB50DFA9DC44AAF7BB6FB88320B004536F859D3240DB31C9218BA1

Function 0105AF38 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2451923108.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1050000_Bank Swift Payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba82e12b94b17271ecc72e63dccb43bb5ec42940d58c852a9073c76aa9e36fb1
Instruction ID: 3314efdd4308d7b2b0bbf0d92fb68af8c6ec824af3bcb3bb5b6827964ff1421e
Opcode Fuzzy Hash: ba82e12b94b17271ecc72e63dccb43bb5ec42940d58c852a9073c76aa9e36fb1
Instruction Fuzzy Hash: 52014475E411099FCB54DFA8D8446AF7BB6EB84320B004536FD5AD3281DB31C9218BA1

Function 010591A8 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2451923108.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1050000_Bank Swift Payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d97140f37d1837b35ee21103faff6dc0c5f96dd09803aa0c70a2b3c9a39315b0
Instruction ID: a4e6a61cff4a5124c849c0761d9ed09ecfad6c9395ab792ca589f9d266ce2dd7
Opcode Fuzzy Hash: d97140f37d1837b35ee21103faff6dc0c5f96dd09803aa0c70a2b3c9a39315b0
Instruction Fuzzy Hash: 1501AD35D00204DFDB44DFA1D909AADB7B1FB8D305F105828EA0663290CB7ACA66CB20

Function 0105C7D9 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2451923108.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1050000_Bank Swift Payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdc500fa979342d93646c9673a5d30d6658f8fb95cf773a5ad309394730b61fd
Instruction ID: 2cff41ba1f6dfe084f00b8d205023fcd61b89a83ce3f76bdc36e792ad5ec0f56
Opcode Fuzzy Hash: fdc500fa979342d93646c9673a5d30d6658f8fb95cf773a5ad309394730b61fd
Instruction Fuzzy Hash: F2F0B432B052155BD755566DE815BBFB7DEDBC5231F1800BAE908D7350CF72D80187A0

Function 0105C017 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2451923108.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1050000_Bank Swift Payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90bb919cf37c9571743a6948ae1916cf4770489fd4616604685cbc8bd3dd105f
Instruction ID: d7e20dfc28e34ae24f52db91404b440cd021b656c615265695e3ba38850b073b
Opcode Fuzzy Hash: 90bb919cf37c9571743a6948ae1916cf4770489fd4616604685cbc8bd3dd105f
Instruction Fuzzy Hash: 98F09671900205AF8B51DFADD880AEFFBF6FF88350B444526D945E7301EA319611C7E5

Function 0105C4D0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2451923108.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1050000_Bank Swift Payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe9854e514a73f44938ed44ab9f34967419e620aa375a5472097353386170c9d
Instruction ID: 89105641948a495658db372b9f0cfe4e645da1968074315018316b961685b16c
Opcode Fuzzy Hash: fe9854e514a73f44938ed44ab9f34967419e620aa375a5472097353386170c9d
Instruction Fuzzy Hash: 5EF03A35300205DFC750CF69D484C6ABBE9FF88725B518069EA0A87331CB71DC12CB50

Function 01059380 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2451923108.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1050000_Bank Swift Payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37ed36fa22b86be4c15f89488047b13b978f9be2f8b8661ba33b0ebbb1110311
Instruction ID: b3b9c95342b870419764fc19f6dfbb85c0ad723090a0961e9adb5e5a465ccbe4
Opcode Fuzzy Hash: 37ed36fa22b86be4c15f89488047b13b978f9be2f8b8661ba33b0ebbb1110311
Instruction Fuzzy Hash: 06F08C74C04244DFDB80DFB8A94619DBFB0EB4A305F2494AAC844E3252EB318A56CB00

Function 010546C9 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2451923108.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1050000_Bank Swift Payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dd3c97cbc841ad5dee7a07afb19aa78d930e585516e0d2c1ec2fc039c85a0a8
Instruction ID: 2116e0c7b55a3f259219f5c92b6decd130267c7b8d01c9a7363a3fb764986238
Opcode Fuzzy Hash: 3dd3c97cbc841ad5dee7a07afb19aa78d930e585516e0d2c1ec2fc039c85a0a8
Instruction Fuzzy Hash: 10F09236465B428FE310AB66ACAC66ABB60EB0B303B442D44E01EA1062CBA010988F14

Function 010546D8 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2451923108.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1050000_Bank Swift Payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73c048ef3256692a16fa7c98f4962747a9b9ae83fe6054c67bed28f1b34c1866
Instruction ID: 1e5db5cbca4b1a1888b2b06d662663b8bb60414f58ae7a0dd7e2d8f06dbd5ee1
Opcode Fuzzy Hash: 73c048ef3256692a16fa7c98f4962747a9b9ae83fe6054c67bed28f1b34c1866
Instruction Fuzzy Hash: CEE09236021B07CFE350AB62ACAC23A7A65EB0B313B802C00A00EA00718FB014D88F14

Function 01051877 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2451923108.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1050000_Bank Swift Payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a32bc613204884d9a6f53670b85fc3870282e0c73d7ddcdf9dfc7847013880a8
Instruction ID: 447128e5d65dc8ba37d551ec1ed6967132dc6402ca96a64fe259bb8e084d29f5
Opcode Fuzzy Hash: a32bc613204884d9a6f53670b85fc3870282e0c73d7ddcdf9dfc7847013880a8
Instruction Fuzzy Hash: A7E092319163A68ACB039BB498040DDBF34AE9321079542A7D054AA052EA30154DC762

Function 01059390 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2451923108.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1050000_Bank Swift Payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0291f481cce3315c06951ff05a577922cd489a9b277831cec3258a2bb3e8f5b5
Instruction ID: 7279ab2e472522dcbe1120847972e0299d092059b9a08eeb46aef7f5375bd4ce
Opcode Fuzzy Hash: 0291f481cce3315c06951ff05a577922cd489a9b277831cec3258a2bb3e8f5b5
Instruction Fuzzy Hash: 4EE01274D04208DFC784DFB9E54455DBBF4AB49305F2094A9D848E3351EB319E55CB40

Function 01059491 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2451923108.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1050000_Bank Swift Payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a301445430fab1aa7b2935be9c0e213dd77314d32d52ac2ea7bb3ebff590d7f8
Instruction ID: 4e535bedf8a4ff89d99574184604b7b2085335f19a2da5e4928e084f29f13bd7
Opcode Fuzzy Hash: a301445430fab1aa7b2935be9c0e213dd77314d32d52ac2ea7bb3ebff590d7f8
Instruction Fuzzy Hash: 5ED05B71801258EBD784CE65EC05FABBF7CD742209F000565790873260DF79EE50D9A5

Function 01051888 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2451923108.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1050000_Bank Swift Payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3bec2d1a95c25bf2bb04c7c4672038b5336bd4de21c30a1e22f7b1f74fd524b
Instruction ID: d710834d381a1695c3e8593ad08df67f8b65af633aa7a0c263548478e8752e7d
Opcode Fuzzy Hash: c3bec2d1a95c25bf2bb04c7c4672038b5336bd4de21c30a1e22f7b1f74fd524b
Instruction Fuzzy Hash: BFD01231D2032A968B00A6E5DC044DEB738EED5261B914626D51437140EB70265986A1

Function 0105C580 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2451923108.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1050000_Bank Swift Payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85bbac552dff416e40bfb240132286b415e69829428743b1641590437f74fe2b
Instruction ID: 6b18b53f20e6a9a15ee571b69e81b1d0862ecf0ef244afe03de7a7380ea1c3f6
Opcode Fuzzy Hash: 85bbac552dff416e40bfb240132286b415e69829428743b1641590437f74fe2b
Instruction Fuzzy Hash: 00D0C73A744614674B152A49A8048BE7F9EE7CD7717148027F90587700CE76CD2397D5

Function 0105E2DD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2451923108.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1050000_Bank Swift Payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c8c19d761a1239525e9e02c51ffb4a245d0d7a4ec6fb58993b503a09de62344
Instruction ID: 8a1491633f36597e4a42fe154ef7494c8812d80e545b01237913ffddcb61b313
Opcode Fuzzy Hash: 8c8c19d761a1239525e9e02c51ffb4a245d0d7a4ec6fb58993b503a09de62344
Instruction Fuzzy Hash: 48D0673AB100089FCB149F98E8408DDBB76FB98321B048126F915A7261C7319961DB50

Function 010594A0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2451923108.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1050000_Bank Swift Payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3492e8529fda1862eaa8e9ec9c70f9b15b9616cbf42e4cd477288bc1aec6769
Instruction ID: 2343421f5ceeb1f7c52960be7860081481656e0f7d1af81028bb10ce77bbd865
Opcode Fuzzy Hash: d3492e8529fda1862eaa8e9ec9c70f9b15b9616cbf42e4cd477288bc1aec6769
Instruction Fuzzy Hash: 19D0A971800248DBC780CFA4E804A2AFBB8A742205F0000A8980823260DB718D10CA94

Function 01059529 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2451923108.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1050000_Bank Swift Payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2e89cf0e517de40610db0db11fd841d39ad0f9caf037b182c840a726c81cb31
Instruction ID: 810e4e2716992bc2c5c3cb0a87b9ab0c8795f35ef50817a068db07adb7482027
Opcode Fuzzy Hash: f2e89cf0e517de40610db0db11fd841d39ad0f9caf037b182c840a726c81cb31
Instruction Fuzzy Hash: A3C0803E104201F7C7019750DC02FDFBF57DBD4354F04C518704451275C534D9604672

Function 01054831 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2451923108.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1050000_Bank Swift Payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77b805bf1844bbc59106b5e5ddafee8f1f36552e88c1d57270280f123198393e
Instruction ID: e9fe38285e9d7e5d64f53e2014234f9691be30eaa5c11d515653f993ce284b44
Opcode Fuzzy Hash: 77b805bf1844bbc59106b5e5ddafee8f1f36552e88c1d57270280f123198393e
Instruction Fuzzy Hash: B1C04C7144D3E54FCF27476454650A67FB09D4361075808CBE4C15E05BE1185605D742

Non-executed Functions

Function 0105EB00 Relevance: .4, Instructions: 394COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2451923108.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1050000_Bank Swift Payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4869ed39052ccd71665e47b1bed61c5833c45c0b0cfd1426e00837c0923999a
Instruction ID: 9ed0ef03a54e2cb938f7dfec352e6e1beb96c3c30eb847fba37e07134b96d47f
Opcode Fuzzy Hash: c4869ed39052ccd71665e47b1bed61c5833c45c0b0cfd1426e00837c0923999a
Instruction Fuzzy Hash: F102D974E00218CFDB55DFA8C984B9EBBB2BF88304F1584A9D859AB355DB34AE41CF50

Function 0105F0D0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2451923108.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1050000_Bank Swift Payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f6e4ba6643e1fefc6442351a1e75f3d4e3fd5fb128cb116116533b6c24fc1b6
Instruction ID: 2fc4ffd49f0f479e63105a55ee66d9e4edb2238968b05c8b415c822b620376f1
Opcode Fuzzy Hash: 2f6e4ba6643e1fefc6442351a1e75f3d4e3fd5fb128cb116116533b6c24fc1b6
Instruction Fuzzy Hash: A1C1B274E01218CFDB54DFA5C994B9DBBB2BF89304F2080AAD809AB355DB349E85CF50

Function 0105F528 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2451923108.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1050000_Bank Swift Payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a78a32b850399eed7ef508236d2b62de773bdf105ea3bfe7163703b2b93f458
Instruction ID: b72ad324fb8a3ecd6354dc5c3c2cbfb061c93fe9f7001e43126b0efb09db65d3
Opcode Fuzzy Hash: 3a78a32b850399eed7ef508236d2b62de773bdf105ea3bfe7163703b2b93f458
Instruction Fuzzy Hash: CFC1C274E00218CFDB54DFA5C994B9DBBB2BF88304F2084AAD809AB355DB349E85CF50

Function 0105F980 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2451923108.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1050000_Bank Swift Payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84b8766bda05ebebace2ce777f25354efad148ef143400d1716635ef36848eea
Instruction ID: 606258da387b8d054b927f077f2dfce04d8c007f65d7ae83ceea1684198c2e70
Opcode Fuzzy Hash: 84b8766bda05ebebace2ce777f25354efad148ef143400d1716635ef36848eea
Instruction Fuzzy Hash: 71C1B174E01218CFDB54DFA5C994B9DBBB2EF89304F2084AAD809AB355DB349E85CF50

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Bank Swift Payment.bat.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: MassLogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Bank Swift Payment.bat.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1s22uek3.rpy.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_njrozhuy.yv2.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xfvi515l.wfl.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ytwdzvdo.iw1.psm1

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Windows Analysis Report
Bank Swift Payment.bat.exe

Function 02553E1C Relevance: 2.2, Strings: 1, Instructions: 955
COMMON

Function 0255EF78 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 0255590C Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Function 0255449C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 0255F1C0 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Function 0255CDB8 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre