Edit tour
Windows
Analysis Report
SWIFT_USD_165092.exe
Overview
General Information
Detection
Typhon Logger
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Telegram RAT
Sigma detected: Schedule system process
System process connects to network (likely due to code injection or exploit)
Multi AV Scanner detection for dropped file
Yara detected Typhon Logger
.NET source code references suspicious native API functions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
Contains functionality to log keystrokes (.Net Source)
Uses the Telegram API (likely for C&C communication)
Contains functionality to register a low level keyboard hook
Machine Learning detection for sample
May check the online IP address of the machine
Injects a PE file into a foreign processes
Yara detected Generic Downloader
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Sample uses string decryption to hide its real strings
Uses schtasks.exe or at.exe to add and modify task schedules
Drops PE files with benign system names
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
One or more processes crash
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
HTTP GET or POST without a user agent
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Queries information about the installed CPU (vendor, model number etc)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Drops PE files
Tries to load missing DLLs
Checks if the current process is being debugged
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Classification
- System is w10x64
- SWIFT_USD_165092.exe (PID: 5764 cmdline:
C:\Users\u ser\Deskto p\SWIFT_US D_165092.e xe MD5: 22BA147ED50FF44941FE486426432115) - SWIFT_USD_165092.exe (PID: 5640 cmdline:
C:\Users\u ser\Deskto p\SWIFT_US D_165092.e xe MD5: 22BA147ED50FF44941FE486426432115) - tasklist.exe (PID: 7068 cmdline:
tasklist MD5: 6B7D2FC3FB98B10A5F77B23DEF745F6F) - conhost.exe (PID: 4724 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - cmd.exe (PID: 6960 cmdline:
C:\Windows \System32\ cmd.exe" / c rmdir /S /Q "C:\Us ers\user\A ppData\Loc al\Logs\22 -05-2023\C redit Card s MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 7100 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - cmd.exe (PID: 4996 cmdline:
C:\Windows \System32\ cmd.exe" / c rmdir /S /Q "C:\Us ers\user\A ppData\Loc al\Logs\22 -05-2023\C ookies MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 4804 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - cmd.exe (PID: 2372 cmdline:
C:\Windows \System32\ cmd.exe" / c rmdir /S /Q "C:\Us ers\user\A ppData\Loc al\Logs\22 -05-2023\A utofills MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 2312 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - cmd.exe (PID: 2832 cmdline:
C:\Windows \System32\ cmd.exe" / c rmdir /S /Q "C:\Us ers\user\A ppData\Loc al\404d522 a-62f5-4eb 2-91f4-202 649d15261 MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 1716 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - cmd.exe (PID: 4724 cmdline:
C:\Windows \System32\ cmd.exe" / c rmdir /S /Q "C:\Us ers\user\A ppData\Loc al\Logs\22 -05-2023 MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 4576 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - WerFault.exe (PID: 5760 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 5 640 -s 310 8 MD5: 9E2B8ACAD48ECCA55C0230D63623661B) - cmd.exe (PID: 7008 cmdline:
cmd.exe" / C mkdir "C :\Users\us er\AppData \Roaming\s vchost MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 6968 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - cmd.exe (PID: 6992 cmdline:
"cmd.exe" /C schtask s /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\ Users\user \AppData\R oaming\svc host\svcho st.exe'" / f MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 6956 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - schtasks.exe (PID: 760 cmdline:
schtasks / create /sc minute /m o 1 /tn "N afifas" /t r "'C:\Use rs\user\Ap pData\Roam ing\svchos t\svchost. exe'" /f MD5: 15FF7D8324231381BAD48A052F85DF04) - cmd.exe (PID: 4744 cmdline:
cmd.exe" / C copy "C: \Users\use r\Desktop\ SWIFT_USD_ 165092.exe " "C:\User s\user\App Data\Roami ng\svchost \svchost.e xe MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 4704 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
- svchost.exe (PID: 5716 cmdline:
C:\Users\u ser\AppDat a\Roaming\ svchost\sv chost.exe MD5: 22BA147ED50FF44941FE486426432115) - svchost.exe (PID: 5484 cmdline:
C:\Users\u ser\AppDat a\Roaming\ svchost\sv chost.exe MD5: 22BA147ED50FF44941FE486426432115) - tasklist.exe (PID: 4768 cmdline:
tasklist MD5: 6B7D2FC3FB98B10A5F77B23DEF745F6F) - conhost.exe (PID: 4136 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - cmd.exe (PID: 7132 cmdline:
C:\Windows \System32\ cmd.exe" / c rmdir /S /Q "C:\Us ers\user\A ppData\Loc al\Logs\22 -05-2023\C redit Card s MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 1516 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - cmd.exe (PID: 996 cmdline:
C:\Windows \System32\ cmd.exe" / c rmdir /S /Q "C:\Us ers\user\A ppData\Loc al\Logs\22 -05-2023\C ookies MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 4504 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - cmd.exe (PID: 5220 cmdline:
C:\Windows \System32\ cmd.exe" / c rmdir /S /Q "C:\Us ers\user\A ppData\Loc al\Logs\22 -05-2023\A utofills MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 5068 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - cmd.exe (PID: 4436 cmdline:
C:\Windows \System32\ cmd.exe" / c rmdir /S /Q "C:\Us ers\user\A ppData\Loc al\8856007 5-49ce-438 f-ba24-998 0eb388270 MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 5760 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - cmd.exe (PID: 2372 cmdline:
C:\Windows \System32\ cmd.exe" / c rmdir /S /Q "C:\Us ers\user\A ppData\Loc al\Logs\22 -05-2023 MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 2832 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - cmd.exe (PID: 4756 cmdline:
cmd.exe" / C mkdir "C :\Users\us er\AppData \Roaming\s vchost MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 4708 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - cmd.exe (PID: 5740 cmdline:
"cmd.exe" /C schtask s /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\ Users\user \AppData\R oaming\svc host\svcho st.exe'" / f MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 3712 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - schtasks.exe (PID: 3016 cmdline:
schtasks / create /sc minute /m o 1 /tn "N afifas" /t r "'C:\Use rs\user\Ap pData\Roam ing\svchos t\svchost. exe'" /f MD5: 15FF7D8324231381BAD48A052F85DF04) - cmd.exe (PID: 256 cmdline:
cmd.exe" / C copy "C: \Users\use r\AppData\ Roaming\sv chost\svch ost.exe" " C:\Users\u ser\AppDat a\Roaming\ svchost\sv chost.exe MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 5448 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
- msiexec.exe (PID: 6876 cmdline:
C:\Windows \system32\ msiexec.ex e /V MD5: 4767B71A318E201188A0D0A420C8B608)
- svchost.exe (PID: 6708 cmdline:
C:\Users\u ser\AppDat a\Roaming\ svchost\sv chost.exe MD5: 22BA147ED50FF44941FE486426432115) - svchost.exe (PID: 2332 cmdline:
C:\Users\u ser\AppDat a\Roaming\ svchost\sv chost.exe MD5: 22BA147ED50FF44941FE486426432115) - tasklist.exe (PID: 920 cmdline:
tasklist MD5: 6B7D2FC3FB98B10A5F77B23DEF745F6F) - conhost.exe (PID: 3480 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - cmd.exe (PID: 204 cmdline:
cmd.exe" / C mkdir "C :\Users\us er\AppData \Roaming\s vchost MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 6988 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - cmd.exe (PID: 2448 cmdline:
"cmd.exe" /C schtask s /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\ Users\user \AppData\R oaming\svc host\svcho st.exe'" / f MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 4520 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)