Play interactive tour
Edit tourAnalysis Report SWIFT.doc
Overview
General Information
| Sample Name: | SWIFT.doc |
| Analysis ID: | 330287 |
| MD5: | 516028d299e8b6b9f947fdb4541a5d7e |
| SHA1: | fa9c3d41dcd61c1dcade0ba7943882cf640a71cd |
| SHA256: | 6de5a6a916916823583495dae424fa8ce2f54c33f2a67da83337b6f2579e816c |
| Tags: | doc |
Most interesting Screenshot:  | |
Detection
HawkEye M00nD3v Logger MailPassView
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Detected HawkEye Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Yara detected AntiVM_3
Yara detected HawkEye Keylogger
Yara detected M00nD3v Logger
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Drops PE files with a suspicious file extension
Injects a PE file into a foreign processes
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses process hollowing technique
Searches for Windows Mail specific files
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match
Classification
Startup |
|---|
|
Malware Configuration |
|---|
Threatname: HawkEye |
|---|
{"Modules": ["mailpv"], "Version": ""}Yara Overview |
|---|
Memory Dumps |
|---|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | ||
| JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | ||
| JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | ||
| APT_NK_BabyShark_KimJoingRAT_Apr19_1 | Detects BabyShark KimJongRAT | Florian Roth |
| |
| JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | ||
| Click to see the 19 entries | ||||
Unpacked PEs |
|---|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| APT_NK_BabyShark_KimJoingRAT_Apr19_1 | Detects BabyShark KimJongRAT | Florian Roth |
| |
| JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | ||
| APT_NK_BabyShark_KimJoingRAT_Apr19_1 | Detects BabyShark KimJongRAT | Florian Roth |
| |
| JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | ||
| APT_NK_BabyShark_KimJoingRAT_Apr19_1 | Detects BabyShark KimJongRAT | Florian Roth |
| |
| Click to see the 10 entries | ||||
Sigma Overview |
|---|
System Summary: |   |
|---|
| Sigma detected: Droppers Exploiting CVE-2017-11882 | Show sources | ||
| Source: | Author: Florian Roth: | ||
| Sigma detected: EQNEDT32.EXE connecting to internet | Show sources | ||
| Source: | Author: Joe Security: | ||
Signature Overview |
|---|
Click to jump to signature section
Show All Signature Results
AV Detection: | |
|---|
| Antivirus detection for URL or domain | Show sources | ||
| Source: | Avira URL Cloud: | ||
| Found malware configuration | Show sources | ||
| Source: | Malware Configuration Extractor: | ||
| Multi AV Scanner detection for submitted file | Show sources | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Avira: | ||
Exploits: | |
|---|
| Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) | Show sources | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Directory queried: | ||
| Source: | Code function: | 10_2_0040702D | |
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Code function: | 9_2_0024A8E8 | |
| Source: | Code function: | 9_2_0024A8E2 | |
| Source: | Code function: | 9_2_00600A88 | |
| Source: | Code function: | 9_2_00600A78 | |
| Source: | DNS query: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | HTTP traffic detected: | ||