Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SWIFT_USD_165092.exe

Overview

General Information

Sample Name:SWIFT_USD_165092.exe
Analysis ID:872897
MD5:22ba147ed50ff44941fe486426432115
SHA1:a113bcca40c9c420442533589311a74ef0e30e96
SHA256:bebd7434928eb7d1fb89a84ba41c3838fb5734f446b58b8bfb2d5dddf48e518b
Tags:exe
Infos:

Detection

Typhon Logger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Telegram RAT
Sigma detected: Schedule system process
System process connects to network (likely due to code injection or exploit)
Multi AV Scanner detection for dropped file
Yara detected Typhon Logger
.NET source code references suspicious native API functions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
Contains functionality to log keystrokes (.Net Source)
Uses the Telegram API (likely for C&C communication)
Contains functionality to register a low level keyboard hook
Machine Learning detection for sample
May check the online IP address of the machine
Injects a PE file into a foreign processes
Yara detected Generic Downloader
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Sample uses string decryption to hide its real strings
Uses schtasks.exe or at.exe to add and modify task schedules
Drops PE files with benign system names
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
One or more processes crash
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
HTTP GET or POST without a user agent
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Queries information about the installed CPU (vendor, model number etc)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Drops PE files
Tries to load missing DLLs
Checks if the current process is being debugged
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Classification

  • System is w10x64
  • SWIFT_USD_165092.exe (PID: 5764 cmdline: C:\Users\user\Desktop\SWIFT_USD_165092.exe MD5: 22BA147ED50FF44941FE486426432115)
    • SWIFT_USD_165092.exe (PID: 5640 cmdline: C:\Users\user\Desktop\SWIFT_USD_165092.exe MD5: 22BA147ED50FF44941FE486426432115)
      • tasklist.exe (PID: 7068 cmdline: tasklist MD5: 6B7D2FC3FB98B10A5F77B23DEF745F6F)
        • conhost.exe (PID: 4724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 6960 cmdline: C:\Windows\System32\cmd.exe" /c rmdir /S /Q "C:\Users\user\AppData\Local\Logs\22-05-2023\Credit Cards MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 7100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 4996 cmdline: C:\Windows\System32\cmd.exe" /c rmdir /S /Q "C:\Users\user\AppData\Local\Logs\22-05-2023\Cookies MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 4804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 2372 cmdline: C:\Windows\System32\cmd.exe" /c rmdir /S /Q "C:\Users\user\AppData\Local\Logs\22-05-2023\Autofills MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 2312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 2832 cmdline: C:\Windows\System32\cmd.exe" /c rmdir /S /Q "C:\Users\user\AppData\Local\404d522a-62f5-4eb2-91f4-202649d15261 MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 1716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 4724 cmdline: C:\Windows\System32\cmd.exe" /c rmdir /S /Q "C:\Users\user\AppData\Local\Logs\22-05-2023 MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 4576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • WerFault.exe (PID: 5760 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5640 -s 3108 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • cmd.exe (PID: 7008 cmdline: cmd.exe" /C mkdir "C:\Users\user\AppData\Roaming\svchost MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 6992 cmdline: "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 760 cmdline: schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f MD5: 15FF7D8324231381BAD48A052F85DF04)
    • cmd.exe (PID: 4744 cmdline: cmd.exe" /C copy "C:\Users\user\Desktop\SWIFT_USD_165092.exe" "C:\Users\user\AppData\Roaming\svchost\svchost.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 4704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 5716 cmdline: C:\Users\user\AppData\Roaming\svchost\svchost.exe MD5: 22BA147ED50FF44941FE486426432115)
    • svchost.exe (PID: 5484 cmdline: C:\Users\user\AppData\Roaming\svchost\svchost.exe MD5: 22BA147ED50FF44941FE486426432115)
      • tasklist.exe (PID: 4768 cmdline: tasklist MD5: 6B7D2FC3FB98B10A5F77B23DEF745F6F)
        • conhost.exe (PID: 4136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 7132 cmdline: C:\Windows\System32\cmd.exe" /c rmdir /S /Q "C:\Users\user\AppData\Local\Logs\22-05-2023\Credit Cards MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 1516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 996 cmdline: C:\Windows\System32\cmd.exe" /c rmdir /S /Q "C:\Users\user\AppData\Local\Logs\22-05-2023\Cookies MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 4504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 5220 cmdline: C:\Windows\System32\cmd.exe" /c rmdir /S /Q "C:\Users\user\AppData\Local\Logs\22-05-2023\Autofills MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 5068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 4436 cmdline: C:\Windows\System32\cmd.exe" /c rmdir /S /Q "C:\Users\user\AppData\Local\88560075-49ce-438f-ba24-9980eb388270 MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 5760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 2372 cmdline: C:\Windows\System32\cmd.exe" /c rmdir /S /Q "C:\Users\user\AppData\Local\Logs\22-05-2023 MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 2832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 4756 cmdline: cmd.exe" /C mkdir "C:\Users\user\AppData\Roaming\svchost MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 4708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 5740 cmdline: "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 3712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 3016 cmdline: schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f MD5: 15FF7D8324231381BAD48A052F85DF04)
    • cmd.exe (PID: 256 cmdline: cmd.exe" /C copy "C:\Users\user\AppData\Roaming\svchost\svchost.exe" "C:\Users\user\AppData\Roaming\svchost\svchost.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • msiexec.exe (PID: 6876 cmdline: C:\Windows\system32\msiexec.exe /V MD5: 4767B71A318E201188A0D0A420C8B608)
  • svchost.exe (PID: 6708 cmdline: C:\Users\user\AppData\Roaming\svchost\svchost.exe MD5: 22BA147ED50FF44941FE486426432115)
    • svchost.exe (PID: 2332 cmdline: C:\Users\user\AppData\Roaming\svchost\svchost.exe MD5: 22BA147ED50FF44941FE486426432115)
      • tasklist.exe (PID: 920 cmdline: tasklist MD5: 6B7D2FC3FB98B10A5F77B23DEF745F6F)
        • conhost.exe (PID: 3480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 204 cmdline: cmd.exe" /C mkdir "C:\Users\user\AppData\Roaming\svchost MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 2448 cmdline: "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 4520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)