Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

SWIFT_ACK-89813.02.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.88855983952812
Filename:	SWIFT_ACK-89813.02.exe
Filesize:	167936
MD5:	2f19182da895afc914c7b9851a4f2d49
SHA1:	7d111bd6284cdd87498e72d90a595aea9fc35d5d
SHA256:	24d5129d6ecbe5ba5e88077d1207bc09fc68d076dea00892bc614a267f9f0b1b
SHA512:	33d80fe64688914261600b5de5ba2f984206c0574db2dc357da3966429034e23ea06308f30d399564a8b4a49ed521c27584f7b0d43445c7eaad00ff178edbb52
SSDEEP:	1536:w4P8PO3YuBX0051Zy0U4SfGaIsmJNa+I37KTqzc9TPVhp4N3L32DdX0:nP8mVVztUjBmJNS7hzc9c32DdX0
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......W.x.....................\.......%.......Rich............................PE..L...E.7W.................`...P......\........p....@

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Hides threads from debuggers	Anti Debugging	Virtualization/Sandbox Evasion Security Software Discovery
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion
Tries to detect Any.run	Malware Analysis System Evasion
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Abnormal high CPU Usage	System Summary
Sample file is different than original file name gathered from version info	System Summary
PE file contains strange resources	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
Checks if the current process is being debugged	Anti Debugging
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sample is known by Antivirus	System Summary
PE file has an executable .text section and no other executable section	System Summary
Reads software policies	System Summary
Parts of this applications are using VB runtime library 6.0 (Probably coded in Visual Basic)	System Summary
Uses an in-process (OLE) Automation server	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries a list of all running drivers	Malware Analysis System Evasion
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion

C:\Users\user\AppData\Local\Temp\~DF7BE3E0977138378C.TMP

Composite Document File V2 Document, Cannot read section info

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\~DF7BE3E0977138378C.TMP
Category:	dropped
Dump:	~DF7BE3E0977138378C.TMP.2.dr
ID:	dr_0
Target ID:	2
Process:	C:\Users\user\Desktop\SWIFT_ACK-89813.02.exe
Type:	Composite Document File V2 Document, Cannot read section info
Entropy:	0.9710024410534099
Encrypted:	false
Ssdeep:	24:rohDKrA3iuOH/3+apRIJ0lBefVYyy/iolnBX2Vr:r4KrAyx5o03weyy/iolnB2
Size:	16384
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates temporary files	System Summary

C:\Users\user\AppData\Roaming\gfh3sqpf.wnq\Chrome\Default\Cookies

SQLite 3.x database, last written using SQLite version 3035005

dropped

Details

File:	C:\Users\user\AppData\Roaming\gfh3sqpf.wnq\Chrome\Default\Cookies
Category:	dropped
Dump:	Cookies.10.dr
ID:	dr_2
Target ID:	10
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Type:	SQLite 3.x database, last written using SQLite version 3035005
Entropy:	3.758760013585961
Encrypted:	false
Ssdeep:	384:qGHsAH0UkOYBOYVOQ0fH8VnRMD+lEofbKWc9JqxYuiAAW2QBRW9TYVVox:pHO9FVISnSSlpDK9SiyBRCcS
Size:	73728
Whitelisted:	false
Reputation:	moderate

C:\Users\user\AppData\Roaming\gfh3sqpf.wnq\Firefox\Profiles\ol7uiqa8.default-release\cookies.sqlite

SQLite 3.x database, user version 12, last written using SQLite version 3036000

modified

Details

File:	C:\Users\user\AppData\Roaming\gfh3sqpf.wnq\Firefox\Profiles\ol7uiqa8.default-release\cookies.sqlite
Category:	modified
Dump:	cookies.sqlite.10.dr
ID:	dr_3
Target ID:	10
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Type:	SQLite 3.x database, user version 12, last written using SQLite version 3036000
Entropy:	0.08231524779339361
Encrypted:	false
Ssdeep:	12:DQANJfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQANJff32mNVpP965Ra8KN0MG/lO
Size:	98304
Whitelisted:	false
Reputation:	moderate

\Device\ConDrv

ASCII text, with CRLF line terminators

dropped

Details

File:	\Device\ConDrv
Category:	dropped
Dump:	ConDrv.10.dr
ID:	dr_1
Target ID:	10
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	3.964735178725505
Encrypted:	false
Ssdeep:	3:IBVFBWAGRHneyy:ITqAGRHner
Size:	30
Whitelisted:	false
Reputation:	moderate

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\SWIFT_ACK-89813.02.exe

"C:\Users\user\Desktop\SWIFT_ACK-89813.02.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7976
Target ID:	2
Parent PID:	7536
Name:	SWIFT_ACK-89813.02.exe
Path:	C:\Users\user\Desktop\SWIFT_ACK-89813.02.exe
Commandline:	"C:\Users\user\Desktop\SWIFT_ACK-89813.02.exe"
Size:	167936
MD5:	2F19182DA895AFC914C7B9851A4F2D49
Time:	08:38:01
Date:	14/12/2021
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	180224
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
PE file contains strange resources	System Summary
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

"C:\Users\user\Desktop\SWIFT_ACK-89813.02.exe"

Details

Is windows:	true
Is dropped:	false
PID:	2756
Target ID:	10
Parent PID:	7976
Name:	CasPol.exe
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Commandline:	"C:\Users\user\Desktop\SWIFT_ACK-89813.02.exe"
Size:	108664
MD5:	914F728C04D3EDDD5FBA59420E74E56B
Time:	08:38:38
Date:	14/12/2021
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0xae0000
Modulesize:	114688
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	3332
Target ID:	11
Parent PID:	2756
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	875008
MD5:	81CA40085FC75BABD2C91D18AA9FFA68
Time:	08:38:38
Date:	14/12/2021
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff62c0b0000
Modulesize:	901120
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://doc-14-38-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/soe8mhoj

unknown

http://127.0.0.1:HTTP/1.1

unknown

https://doc-14-38-docs.googleusercontent.com/

unknown

http://DynDns.comDynDNS

unknown

https://sectigo.com/CPS0

unknown

http://crl.coms

unknown

https://doc-14-38-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/soe8mhoj34v0um28d5e8a2l91ddqufj5/1639467525000/03916840094075221792/*/1sW9pADfhXH64ij3XW0uAfaPSES7O-x1G?e=download

142.250.185.65

https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

unknown

https://drive.google.com/

unknown

http://mail.fortunametals.es

unknown

https://api.ipify.org%4

unknown

https://doc-14-38-docs.googleusercontent.com/N

unknown

http://fortunametals.es

unknown

https://support.google.com/chrome/?p=plugin_flash

unknown

https://api.ipify.org%GETMozilla/5.0

unknown

http://rDm1I0JP9ah.net

unknown

http://rDm1I0JP9ah.nett-

unknown

https://csp.withgoogle.com/csp/report-to/gse_l9ocaq

unknown

There are 8 hidden URLs, click here to show them.

Domains

Name

Malicious

fortunametals.es

94.23.221.28

Details

Name:	fortunametals.es
IP:	94.23.221.28
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Uses SMTP (mail sending)	Networking	Application Layer Protocol
URLs found in memory or binary data	Networking

mail.fortunametals.es

unknown

drive.google.com

142.250.186.78

Details

Name:	drive.google.com
IP:	142.250.186.78
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

googlehosted.l.googleusercontent.com

142.250.185.65

Details

Name:	googlehosted.l.googleusercontent.com
IP:	142.250.185.65
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

doc-14-38-docs.googleusercontent.com

unknown

Details

Name:	doc-14-38-docs.googleusercontent.com
TargetID:	-1
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

94.23.221.28

fortunametals.es

France

Details

IP:	94.23.221.28
TargetID:	10
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Country:	France
Countrycode:	FRA
ASN number:	16276
ASN name:	OVHFR
Private:	false
Domain:	fortunametals.es

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Uses SMTP (mail sending)	Networking	Application Layer Protocol

142.250.186.78

drive.google.com

United States

Details

IP:	142.250.186.78
TargetID:	10
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Country:	United States
Countrycode:	USA
ASN number:	15169
ASN name:	GOOGLEUS
Private:	false
Domain:	drive.google.com

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

142.250.185.65

googlehosted.l.googleusercontent.com

United States

Details

IP:	142.250.185.65
TargetID:	10
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Country:	United States
Countrycode:	USA
ASN number:	15169
ASN name:	GOOGLEUS
Private:	false
Domain:	googlehosted.l.googleusercontent.com

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\subideal\Eyeliners

HARNISKKLDT

Memdumps

Base Address

Regiontype

Protect

Malicious

23B0000

unkown

page execute and read and write

F00000

unkown

page execute and read and write

1E071000

unkown

page read and write

1E0C2000

unkown

page read and write

1CDF1000

unkown

page read and write

1CDF1000

unkown

page read and write

1480000

stack

page read and write

DB2000

unkown

page read and write

400000

unkown image

page readonly

1460000

stack

page read and write

1450000

stack

page read and write

1420000

stack

page read and write

1CDF1000

unkown

page read and write

7FF530DBE000

unkown image

page readonly

1CDF1000

unkown

page read and write

1CDF1000

unkown

page read and write

1CDF1000

unkown

page read and write

1CDF1000

unkown

page read and write

20315000

unkown

page read and write

E00000

unkown

page read and write

1CDF1000

unkown

page read and write

1CDF1000

unkown

page read and write

202C9000

unkown

page read and write

773EFF000

stack

page read and write

1450000

stack

page read and write

1450000

stack

page read and write

20380000

unkown

page read and write

14A0000

stack

page read and write

1450000

stack

page read and write

E00000

unkown

page read and write

7FA50000

unkown image

page readonly

1455000

stack

page read and write

1450000

stack

page read and write

1CDF1000

unkown

page read and write

20320000

unkown

page read and write

1CDF1000

unkown

page read and write

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report

Files

Processes

URLs

Domains

IPs

Registry

Memdumps