Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

SWIFT copy.29112022.Pdf.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.8190439753914545
Filename:	SWIFT copy.29112022.Pdf.exe
Filesize:	763392
MD5:	5f400bae896422a69db460a4507fd657
SHA1:	e90b7c431d34b39bef8492de7fb987f51c3fb804
SHA256:	d5de496be1535d0b8d9c8f57087e9ae2a26aaf7c33c2ddca65b3231dc3b2460b
SHA512:	7e54192c570d2a7fe7700d69bd782173dfe41dc102afceffbda47207d4bfcb80783f7c70bf9666e287ccbcf413bf482aeb321fe559ba7b75ae43416b0feee643
SSDEEP:	12288:ZYn2P8Ai1FDasqS6/0kz0z63eR7J/ZmhOQQVvedp:qn20t1Ffl+0kzAttq62
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...d.................0.............>.... ........@.. ....................................@................................

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Tries to steal Mail credentials (via file / registry access)	Stealing of Sensitive Information	Email Collection
.NET source code references suspicious native API functions	HIPS / PFW / Operating System Protection Evasion	Native API
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion	Security Software Discovery
Machine Learning detection for sample	AV Detection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
.NET source code contains method to dynamically call methods (often used by packers)	Data Obfuscation
.NET source code contains very large array initializations	System Summary	Disable or Modify Tools
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)	Malware Analysis System Evasion
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information	OS Credential Dumping Data from Local System
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)	Malware Analysis System Evasion	Windows Management Instrumentation
Uses 32bit PE files	Compliance, System Summary	Masquerading
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Yara signature match	System Summary
Antivirus or Machine Learning detection for unpacked file	AV Detection
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Sample file is different than original file name gathered from version info	System Summary
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Sample is known by Antivirus	System Summary
Found malware configuration	AV Detection
PE file has an executable .text section and no other executable section	System Summary
Reads software policies	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Uses an in-process (OLE) Automation server	System Summary
Queries process information (via WMI, Win32_Process)	System Summary
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
.NET source code contains many randomly named methods	Data Obfuscation	Disable or Modify Tools
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
SQL strings found in memory and binary data	System Summary
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
URLs found in memory or binary data	Networking
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
Contains functionality to query the account / user name	Language, Device and Operating System Detection	Account Discovery System Owner/User Discovery
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
Checks if Microsoft Office is installed	System Summary	System Information Discovery
PE file contains a COM descriptor data directory	System Summary
Uses Microsoft Silverlight	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SWIFT copy.29112022.Pdf.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SWIFT copy.29112022.Pdf.exe.log
Category:	dropped
Dump:	SWIFT copy.29112022.Pdf.exe.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.355304211458859
Encrypted:	false
Ssdeep:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
Size:	1216
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe

Details

Is windows:	false
Is dropped:	false
PID:	5752
Target ID:	0
Parent PID:	3452
Name:	SWIFT copy.29112022.Pdf.exe
Path:	C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe
Commandline:	C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe
Size:	763392
MD5:	5F400BAE896422A69DB460A4507FD657
Time:	18:25:00
Date:	29/11/2022
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xc50000
Modulesize:	786432
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM3	Malware Analysis System Evasion
Initial sample is a PE file and has a suspicious name	System Summary
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe

Details

Is windows:	false
Is dropped:	false
PID:	6072
Target ID:	1
Parent PID:	5752
Name:	SWIFT copy.29112022.Pdf.exe
Path:	C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe
Commandline:	C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe
Size:	763392
MD5:	5F400BAE896422A69DB460A4507FD657
Time:	18:25:11
Date:	29/11/2022
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xd00000
Modulesize:	786432
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM3	Malware Analysis System Evasion
Initial sample is a PE file and has a suspicious name	System Summary
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

URLs

Name

Malicious

http://127.0.0.1:HTTP/1.1

unknown

http://www.sakkal.comrm

unknown

http://www.fonts.comjat

unknown

http://www.fontbureau.com/designers

unknown

http://www.jiyu-kobo.co.jp/Xx

unknown

http://www.jiyu-kobo.co.jp/Verd

unknown

http://www.sajatypeworks.com

unknown

http://www.fontbureau.comas

unknown

http://www.founder.com.cn/cn/cThe

unknown

http://www.jiyu-kobo.co.jp/jp/i9

unknown

http://www.fontbureau.com/designersers

unknown

http://www.jiyu-kobo.co.jp/?9g

unknown

http://www.sakkal.comf

unknown

http://www.jiyu-kobo.co.jp/i9

unknown

http://www.galapagosdesign.com/DPlease

unknown

http://www.jiyu-kobo.co.jp/Y0

unknown

http://www.ascendercorp.com/typedesigners.html

unknown

http://www.urwpp.deDPlease

unknown

http://www.zhongyicts.com.cn

unknown

http://www.fontbureau.com.TTF

unknown

https://api.ipify.org%

unknown

https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip

unknown

http://www.carterandcone.comtig

unknown

http://www.galapagosdesign.com/M95

unknown

http://www.jiyu-kobo.co.jp/Y0nf9

unknown

http://www.galapagosdesign.com/

unknown

http://www.jiyu-kobo.co.jp/t9

unknown

http://www.carterandcone.comf

unknown

http://www.fontbureau.comcoma

unknown

http://www.carterandcone.comd

unknown

http://www.sajatypeworks.comegr

unknown

https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

unknown

http://www.jiyu-kobo.co.jp/jp/W8

unknown

http://www.jiyu-kobo.co.jp/M95

unknown

http://www.carterandcone.coml

unknown

http://www.founder.com.cn/cn/

unknown

http://www.fontbureau.com/designers/frere-jones.html

unknown

http://www.carterandcone.comont

unknown

http://www.agfamonotype.A

unknown

http://MBStZn.com

unknown

http://www.sajatypeworks.comria

unknown

http://www.fontbureau.comionF

unknown

http://www.carterandcone.comsig

unknown

http://www.zhongyicts.com.cn=

unknown

http://www.fontbureau.com/designersG

unknown

http://www.fontbureau.com/designers/?

unknown

http://www.fontbureau.com/designers/cabarga.html/

unknown

http://www.founder.com.cn/cn/bThe

unknown

http://www.carterandcone.comcin

unknown

http://www.fontbureau.com/designers?

unknown

http://www.carterandcone.comams

unknown

http://www.fonts.com//w

unknown

http://www.monotype.UC

unknown

http://www.fontbureau.comW8

unknown

http://www.tiro.com

unknown

http://www.fontbureau.com/designersZ

unknown

http://www.goodfont.co.kr

unknown

http://www.carterandcone.com

unknown

http://www.typography.netD

unknown

http://www.fontbureau.com/designersh

unknown

http://www.galapagosdesign.com/staff/dennis.htm

unknown

http://fontfabrik.com

unknown

http://www.carterandcone.comw.m

unknown

http://www.carterandcone.comits

unknown

http://www.fontbureau.com/designerse

unknown

http://www.founder.ce

unknown

https://api.ipify.org%GETMozilla/5.0

unknown

http://www.fontbureau.com/designersv

unknown

http://www.fontbureau.comttoF

unknown

http://www.fonts.com

unknown

http://www.sandoll.co.kr

unknown

http://www.founder.com.cn/cnf

unknown

http://www.galapagosdesign.com/staff/dennis.htmQ

unknown

http://www.sakkal.com

unknown

http://www.fontbureau.comsiva

unknown

http://www.apache.org/licenses/LICENSE-2.0

unknown

http://www.carterandcone.comexc

unknown

http://www.fontbureau.com

unknown

http://DynDns.comDynDNS

unknown

http://www.fontbureau.comF

unknown

http://www.sajatypeworks.comu

unknown

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
SWIFT copy.29112022.Pdf.exe

Files

Processes

URLs

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportSWIFT copy.29112022.Pdf.exe

Files

Processes

URLs

IOC Report
SWIFT copy.29112022.Pdf.exe