Windows Analysis Report T-T Swift Copy.exe

Overview

General Information

Sample Name:	T-T Swift Copy.exe
Analysis ID:	510295
MD5:	a3127d76c37d53a8ecaab821ce5d99a6
SHA1:	fe6529ff55514634d6cde730e4c4c5b664b02ccf
SHA256:	d9ca56d191efaa8ac5beee52f508082d6e8efb29045bb61c23851537982fa6bf
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

DBatLoader FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected DBatLoader

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Sigma detected: Execution from Suspicious Folder

Maps a DLL or memory area into another process

Writes to foreign memory regions

Tries to detect virtualization through RDTSC time measurements

C2 URLs / IPs found in malware configuration

Creates a thread in another existing process (thread injection)

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Uses 32bit PE files

Yara signature match

Antivirus or Machine Learning detection for unpacked file

PE file contains strange resources

Drops PE files

Uses code obfuscation techniques (call, push, ret)

Checks if the current process is being debugged

Found potential string decryption / allocating functions

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Enables debug privileges

Classification

Signatures

AV Detection:

Found malware configuration

Source: 00000011.00000000.406123178.0000000072480000.00000040.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.ehawkstech.com/s4mt/"], "decoy": ["deviousrofwft.xyz", "iphone13.photos", "cameraderie.info", "flogotwheelz.com", "lunasconstructionllc.com", "unameofficial.com", "digitalboat.cloud", "hifi-cans.com", "breskizci.com", "kyleandconner.com", "punnyaseva.com", "elitephotoedit.com", "pizzatallrikar.one", "espacio40.com", "bvgsf.xyz", "splootingcorgi.com", "metaverse360.biz", "xnegbuy.com", "buysubarus.com", "optophonia.com", "jingcai16.com", "verdantpor.xyz", "mandyfarricker.com", "affiliategang.com", "chemissimo.com", "myspecialgift4you.com", "21cfintech.com", "parsvivid.com", "ufabetkhmer.net", "litunity.com", "bcwis.com", "ekokosiarki.com", "expocanna.net", "shanichara.com", "brightstarlogisticss.com", "intaom.net", "petshop.zone", "habxgg.com", "taiqen.com", "vehiculosvivienda.com", "igsc-eg.com", "jfhy88.com", "circuspolitician.com", "etxperiodontics.com", "wsxkd.com", "abosasaio.com", "magnacursos.online", "indigenousjobs.net", "digital904.com", "pp-jm.com", "hkqlxc.com", "mygutimautpribuinrop.com", "cosplayharem.com", "jsxybq.com", "fieldstationlodges.com", "ggrow-hairsalon.com", "aureliemorgane.com", "yian-ho.com", "woruke.club", "meet-hamburg.com", "leadergaterealty.com", "choitokki.com", "cfweb.tools", "loveyopu.com"]}

Yara detected FormBook

Source: Yara match	File source: 17.0.mobsync.exe.72480000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.mobsync.exe.72480000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.mobsync.exe.72480000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.mobsync.exe.72480000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.mobsync.exe.72480000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.mobsync.exe.72480000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.mobsync.exe.72480000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.mobsync.exe.72480000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000000.476572869.0000000006D0E000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.406123178.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.407026308.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.406606133.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.405354552.0000000072480000.00000040.00000001.sdmp, type: MEMORY

Multi AV Scanner detection for dropped file

Source: C:\Users\Public\Libraries\Bukgwo\Bukgwo.exe

ReversingLabs: Detection: 38%

Antivirus or Machine Learning detection for unpacked file

Source: 17.0.mobsync.exe.72480000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 17.0.mobsync.exe.72480000.2.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 17.0.mobsync.exe.72480000.3.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 17.0.mobsync.exe.72480000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

Uses 32bit PE files

Source: T-T Swift Copy.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.ehawkstech.com/s4mt/

Source: unknown

DNS traffic detected: queries for: onedrive.live.com

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 17.0.mobsync.exe.72480000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.mobsync.exe.72480000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.mobsync.exe.72480000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.mobsync.exe.72480000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.mobsync.exe.72480000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.mobsync.exe.72480000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.mobsync.exe.72480000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.mobsync.exe.72480000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000000.476572869.0000000006D0E000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.406123178.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.407026308.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.406606133.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.405354552.0000000072480000.00000040.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Source: 17.0.mobsync.exe.72480000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 17.0.mobsync.exe.72480000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 17.0.mobsync.exe.72480000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 17.0.mobsync.exe.72480000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 17.0.mobsync.exe.72480000.2.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 17.0.mobsync.exe.72480000.2.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 17.0.mobsync.exe.72480000.3.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 17.0.mobsync.exe.72480000.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 17.0.mobsync.exe.72480000.3.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 17.0.mobsync.exe.72480000.3.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 17.0.mobsync.exe.72480000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 17.0.mobsync.exe.72480000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 17.0.mobsync.exe.72480000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 17.0.mobsync.exe.72480000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 17.0.mobsync.exe.72480000.2.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 17.0.mobsync.exe.72480000.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000000.476572869.0000000006D0E000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000000.476572869.0000000006D0E000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000000.406123178.0000000072480000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000000.406123178.0000000072480000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000000.407026308.0000000072480000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000000.407026308.0000000072480000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000000.406606133.0000000072480000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000000.406606133.0000000072480000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000000.405354552.0000000072480000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000000.405354552.0000000072480000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Uses 32bit PE files

Source: T-T Swift Copy.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI

Yara signature match

Source: 17.0.mobsync.exe.72480000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 17.0.mobsync.exe.72480000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 17.0.mobsync.exe.72480000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 17.0.mobsync.exe.72480000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 17.0.mobsync.exe.72480000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 17.0.mobsync.exe.72480000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 17.0.mobsync.exe.72480000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 17.0.mobsync.exe.72480000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 17.0.mobsync.exe.72480000.3.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 17.0.mobsync.exe.72480000.3.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 17.0.mobsync.exe.72480000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 17.0.mobsync.exe.72480000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 17.0.mobsync.exe.72480000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 17.0.mobsync.exe.72480000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 17.0.mobsync.exe.72480000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 17.0.mobsync.exe.72480000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000000.522824405.000000000DDB9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000012.00000000.476572869.0000000006D0E000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000000.476572869.0000000006D0E000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000000.406123178.0000000072480000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000000.406123178.0000000072480000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000000.407026308.0000000072480000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000000.407026308.0000000072480000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000000.406606133.0000000072480000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000000.406606133.0000000072480000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000000.405354552.0000000072480000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000000.405354552.0000000072480000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: C:\Users\Public\Libraries\owgkuB.url, type: DROPPED	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019

PE file contains strange resources

Source: T-T Swift Copy.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Bukgwo.exe.0.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST

Found potential string decryption / allocating functions

Source: C:\Users\Public\Libraries\Bukgwo\Bukgwo.exe	Code function: String function: 0270A454 appears 32 times
Source: C:\Users\Public\Libraries\Bukgwo\Bukgwo.exe	Code function: String function: 0270D424 appears 48 times
Source: C:\Users\Public\Libraries\Bukgwo\Bukgwo.exe	Code function: String function: 021FAAB8 appears 64 times
Source: C:\Users\Public\Libraries\Bukgwo\Bukgwo.exe	Code function: String function: 0270837C appears 80 times
Source: C:\Users\Public\Libraries\Bukgwo\Bukgwo.exe	Code function: String function: 021F837C appears 80 times
Source: C:\Users\Public\Libraries\Bukgwo\Bukgwo.exe	Code function: String function: 021FD424 appears 48 times
Source: C:\Users\user\Desktop\T-T Swift Copy.exe	Code function: String function: 0234D424 appears 36 times

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\user\Desktop\T-T Swift Copy.exe	Memory allocated: 72480000 page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\T-T Swift Copy.exe	Memory allocated: 72480000 page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\T-T Swift Copy.exe	Memory allocated: 72480000 page no access	Jump to behavior
Source: C:\Users\user\Desktop\T-T Swift Copy.exe	Memory allocated: 72480000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\T-T Swift Copy.exe	Memory allocated: 72481000 page read and write	Jump to behavior

Source: C:\Users\user\Desktop\T-T Swift Copy.exe

File read: C:\Users\user\Desktop\T-T Swift Copy.exe

Source: C:\Users\user\Desktop\T-T Swift Copy.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\T-T Swift Copy.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\T-T Swift Copy.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Bukgwo\Bukgwo.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Bukgwo\Bukgwo.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\T-T Swift Copy.exe 'C:\Users\user\Desktop\T-T Swift Copy.exe'
Source: C:\Users\user\Desktop\T-T Swift Copy.exe	Process created: C:\Windows\SysWOW64\mobsync.exe C:\Windows\System32\mobsync.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\Public\Libraries\Bukgwo\Bukgwo.exe 'C:\Users\Public\Libraries\Bukgwo\Bukgwo.exe'
Source: C:\Windows\explorer.exe	Process created: C:\Users\Public\Libraries\Bukgwo\Bukgwo.exe 'C:\Users\Public\Libraries\Bukgwo\Bukgwo.exe'
Source: C:\Users\user\Desktop\T-T Swift Copy.exe	Process created: C:\Windows\SysWOW64\mobsync.exe C:\Windows\System32\mobsync.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\Public\Libraries\Bukgwo\Bukgwo.exe 'C:\Users\Public\Libraries\Bukgwo\Bukgwo.exe'	Jump to behavior

Source: C:\Users\user\Desktop\T-T Swift Copy.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\T-T Swift Copy.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\T-T Swift Copy.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Yara match	File source: 00000015.00000002.520675116.00000000021A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.521099997.00000000026B0000.00000004.00000001.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\T-T Swift Copy.exe	Code function: 0_3_0234A584 push eax; ret	0_3_0234A5C0
Source: C:\Users\user\Desktop\T-T Swift Copy.exe	Code function: 0_3_0234A584 push eax; ret	0_3_0234A5C0
Source: C:\Users\user\Desktop\T-T Swift Copy.exe	Code function: 0_3_0234A584 push eax; ret	0_3_0234A5C0
Source: C:\Users\user\Desktop\T-T Swift Copy.exe	Code function: 0_3_0234A584 push eax; ret	0_3_0234A5C0
Source: C:\Users\user\Desktop\T-T Swift Copy.exe	Code function: 0_3_0234A584 push eax; ret	0_3_0234A5C0
Source: C:\Users\user\Desktop\T-T Swift Copy.exe	Code function: 0_3_0234A584 push eax; ret	0_3_0234A5C0
Source: C:\Users\user\Desktop\T-T Swift Copy.exe	Code function: 0_3_0234A584 push eax; ret	0_3_0234A5C0
Source: C:\Users\user\Desktop\T-T Swift Copy.exe	Code function: 0_3_0234A584 push eax; ret	0_3_0234A5C0
Source: C:\Users\user\Desktop\T-T Swift Copy.exe	Code function: 0_3_0234A584 push eax; ret	0_3_0234A5C0
Source: C:\Users\user\Desktop\T-T Swift Copy.exe	Code function: 0_3_0234A58E push eax; ret	0_3_0234A5C0
Source: C:\Users\user\Desktop\T-T Swift Copy.exe	Code function: 0_3_0234A58E push eax; ret	0_3_0234A5C0
Source: C:\Users\user\Desktop\T-T Swift Copy.exe	Code function: 0_3_0234A58E push eax; ret	0_3_0234A5C0
Source: C:\Users\user\Desktop\T-T Swift Copy.exe	Code function: 0_3_0234A58E push eax; ret	0_3_0234A5C0
Source: C:\Users\user\Desktop\T-T Swift Copy.exe	Code function: 0_3_0234A58E push eax; ret	0_3_0234A5C0
Source: C:\Users\user\Desktop\T-T Swift Copy.exe	Code function: 0_3_0234A58E push eax; ret	0_3_0234A5C0
Source: C:\Users\user\Desktop\T-T Swift Copy.exe	Code function: 0_3_0234A58E push eax; ret	0_3_0234A5C0
Source: C:\Users\user\Desktop\T-T Swift Copy.exe	Code function: 0_3_0234A58E push eax; ret	0_3_0234A5C0
Source: C:\Users\user\Desktop\T-T Swift Copy.exe	Code function: 0_3_0234A58E push eax; ret	0_3_0234A5C0

Source: C:\Users\user\Desktop\T-T Swift Copy.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Bukgwo			Jump to behavior
Source: C:\Users\user\Desktop\T-T Swift Copy.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Bukgwo			Jump to behavior

Source: C:\Users\user\Desktop\T-T Swift Copy.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Bukgwo\Bukgwo.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Bukgwo\Bukgwo.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\mobsync.exe	RDTSC instruction interceptor: First address: 0000000072488604 second address: 000000007248860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\mobsync.exe	RDTSC instruction interceptor: First address: 000000007248898E second address: 0000000072488994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: explorer.exe, 00000012.00000000.427677045.0000000008AEA000.00000004.00000001.sdmp	Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000012.00000000.430733448.000000000DD50000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000012.00000000.414140722.0000000003710000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000012.00000000.461548736.0000000003767000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000012.00000002.532156882.00000000011B3000.00000004.00000020.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: explorer.exe, 00000012.00000000.495160737.0000000008AB2000.00000004.00000001.sdmp	Binary or memory string: Prod_VMware_SATA-6
Source: explorer.exe, 00000012.00000000.491525429.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: explorer.exe, 00000012.00000000.464859424.00000000053C4000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
Source: explorer.exe, 00000012.00000000.491525429.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002

Source: C:\Users\user\Desktop\T-T Swift Copy.exe	Memory written: C:\Windows\SysWOW64\mobsync.exe base: 72480000	Jump to behavior
Source: C:\Users\user\Desktop\T-T Swift Copy.exe	Memory written: C:\Windows\SysWOW64\mobsync.exe base: 1000000	Jump to behavior
Source: C:\Users\user\Desktop\T-T Swift Copy.exe	Memory written: C:\Windows\SysWOW64\mobsync.exe base: 1010000	Jump to behavior

Source: C:\Users\user\Desktop\T-T Swift Copy.exe	Memory allocated: C:\Windows\SysWOW64\mobsync.exe base: 72480000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\T-T Swift Copy.exe	Memory allocated: C:\Windows\SysWOW64\mobsync.exe base: 1000000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\T-T Swift Copy.exe	Memory allocated: C:\Windows\SysWOW64\mobsync.exe base: 1010000 protect: page execute and read and write	Jump to behavior

Source: explorer.exe, 00000012.00000000.427087654.00000000089FF000.00000004.00000001.sdmp, Bukgwo.exe, 00000015.00000002.519902050.0000000000D50000.00000002.00020000.sdmp, Bukgwo.exe, 00000018.00000002.519458391.0000000000E60000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000012.00000000.450521833.0000000001640000.00000002.00020000.sdmp, Bukgwo.exe, 00000015.00000002.519902050.0000000000D50000.00000002.00020000.sdmp, Bukgwo.exe, 00000018.00000002.519458391.0000000000E60000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000012.00000000.450521833.0000000001640000.00000002.00020000.sdmp, Bukgwo.exe, 00000015.00000002.519902050.0000000000D50000.00000002.00020000.sdmp, Bukgwo.exe, 00000018.00000002.519458391.0000000000E60000.00000002.00020000.sdmp	Binary or memory string: SProgram Managerl
Source: explorer.exe, 00000012.00000000.448726082.0000000001128000.00000004.00000020.sdmp	Binary or memory string: ProgmanOMEa
Source: explorer.exe, 00000012.00000000.450521833.0000000001640000.00000002.00020000.sdmp, Bukgwo.exe, 00000015.00000002.519902050.0000000000D50000.00000002.00020000.sdmp, Bukgwo.exe, 00000018.00000002.519458391.0000000000E60000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd,
Source: explorer.exe, 00000012.00000000.450521833.0000000001640000.00000002.00020000.sdmp, Bukgwo.exe, 00000015.00000002.519902050.0000000000D50000.00000002.00020000.sdmp, Bukgwo.exe, 00000018.00000002.519458391.0000000000E60000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Name	IP	Active
onedrive.live.com	unknown	unknown
vhpf4g.bn.files.1drv.com	unknown	unknown

ID:	510295
Product:	CloudBasic
Start time:	17:20:15
Start date:	27.10.2021
Sample:	T-T Swift Copy.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	a3127d76c37d53a8ecaab821ce5d99a6
SHA1:	fe6529ff55514634d6cde730e4c4c5b664b02ccf
SHA256:	d9ca56d191efaa8ac5beee52f508082d6e8efb29045bb61c23851537982fa6bf
Filetype:	Win32 Executable (generic) a (10002005/4) 99.24%

Name	Type	MD5	SHA1	SHA256
C:\Users\Public\Libraries\Bukgwo\Bukgwo.exe	PE32 executable (GUI) Intel 80386, for MS Windows	A3127D76C37D53A8ECAAB821CE5D99A6	FE6529FF55514634D6CDE730E4C4C5B664B02CCF	D9CA56D191EFAA8AC5BEEE52F508082D6E8EFB29045BB61C23851537982FA6BF
C:\Users\Public\Libraries\owgkuB.url	MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\\\Bukgwo\\Bukgwo.exe">), ASCII text, with CRLF line terminators	FDC2ECE626A79B30C114488195904125	0E282FA6243F23E1388E1711A43D3F4033EDFD9F	23976F3C585AEF6EAEE80D2FF579B4114B06766A101F1A0788CD0E129FEBF84E
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\Bukgwonqgngtrpkjastfgihmnxlmffz[2]	data	00BF4E71F9A6ECAD41587045D5591BE4	DAC3E45F849E280ABDEECB0010F71DB7FB92F68C	D8C8989468B6EE8526A595B49DE36162DB5C6DE86DA9236529763AE16D0AE7C6

Windows Analysis Report T-T Swift Copy.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs