DigitalSide Threat Intel

Swift-service-encrypted-obuscated.exe

First submission 2024-10-17 18:31:03

File details

File type: PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Mime type: application/x-dosexec
File size: 111.5 KB (114176 bytes)
Compile time: 2024-09-19 07:47:01
MD5: 34aa449b4fb52742bc830e10b7efe47b
SHA1: 2c8080fa6a48a92df1eae081a4fab3bd6fc949a2
SHA256: a87ec35ffa4d698eddfe69cea22dccba56afe78fbd34529672d3eedc98b84350
Import Hash : 1299062c7b29ddbc3d30daa2b2edea43
Sections 11 .text .data .rdata .pdata .xdata .bss .edata .idata .CRT .tls .reloc
Directories 4 import export tls relocation

File features detected

Is DLL
Packers
Anti Debug
Anti VM
Signed
XOR

OSINT Enrichments

Virus Total: 45/77 VT report date: 2024-10-13 00:08:33
Malware Type 1 trojan
Threat Type 3 havoc havokiz marte

URLs, FQDN and IP indicators 1

URL Host (FQDN/IP) Date Added
hXXp://169.1.16.29/Swift-service-encrypted-obuscated.exe VirusTotal Report 169.1.16.29 VirusTotal Report 2024-10-17 18:31:03

PE Sections 3 suspicious

Name VAddress VSize Size SHA1 MD5 Suspicious
.text 0x1000 0x18e38 102400 26acb653d12d68dd185c2f543b08b238d9263b36 1301a041f7049165d54540ef6e559fee
.data 0x1a000 0x9f0 2560 1840cffbb48559433efffe5c48563f174d8f6feb b005d06fe472a1e2f53dee5e14012532
.rdata 0x1b000 0x820 2560 8ea63a3add4581b556505d632546b9b784700156 64bc11a06d8afa5d5134f38da50f9900
.pdata 0x1c000 0x21c 1024 d20b768bc135cefdc65660db0fbf2584eff419e0 ea60e28a76e5ab6afb363f192e91c0cb
.xdata 0x1d000 0x194 512 f5f94cd102530017458c5fab53ed7105321ae013 fa629854ab07e5f08efccf70eab3e7ea
.bss 0x1e000 0x190 0 da39a3ee5e6b4b0d3255bfef95601890afd80709 d41d8cd98f00b204e9800998ecf8427e
.edata 0x1f000 0x36 512 8ca74eb0f9f02391c6c921e34c5b1bf63bbe154d 7cedca5dccc37d28c49ba3cc38964744
.idata 0x20000 0x610 2048 e2b1122858f5b9a395bdd25bfd6ba0732b01b41d 5fa9ec47dab56181ab414b4753bcf646
.CRT 0x21000 0x60 512 035b7d1a135203160a4bf965ab6ac300aca59e14 3e2d9655b6ec668562f1c88da2b84367
.tls 0x22000 0x10 512 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 bf619eac0cdf3f68d496ea9344137e8b
.reloc 0x23000 0x154 512 c90ca73b6c7c875040cc215784f08eb07c684e5e 02ce46a0aabbe2715cbdc0c5fb527a93

Anti debug functions 1

GetLastError

Strings analysis - File found

Library
ADVAPI32.dll
MSVCRT.dll
KERNEL32.dll

Import functions

Function Address Souspicious Anti Debug
RegisterServiceCtrlHandlerA 0x1400201a0
SetServiceStatus 0x1400201a8
StartServiceCtrlDispatcherA 0x1400201b0
Function Address Souspicious Anti Debug
DeleteCriticalSection 0x1400201c0
EnterCriticalSection 0x1400201c8
GetLastError 0x1400201d0
GetStartupInfoA 0x1400201d8
InitializeCriticalSection 0x1400201e0
LeaveCriticalSection 0x1400201e8
SetUnhandledExceptionFilter 0x1400201f0
Sleep 0x1400201f8
TlsGetValue 0x140020200
VirtualProtect 0x140020208
VirtualQuery 0x140020210
Function Address Souspicious Anti Debug
__C_specific_handler 0x140020220
__initenv 0x140020228
__iob_func 0x140020230
__getmainargs 0x140020238
__set_app_type 0x140020240
_acmdln 0x140020248
__setusermatherr 0x140020250
_amsg_exit 0x140020258
_cexit 0x140020260
_commode 0x140020268
_fmode 0x140020270
memcpy 0x140020278
_initterm 0x140020280
_onexit 0x140020288
abort 0x140020290
calloc 0x140020298
exit 0x1400202a0
fprintf 0x1400202a8
free 0x1400202b0
fwrite 0x1400202b8
malloc 0x1400202c0
signal 0x1400202c8
strlen 0x1400202d0
strncmp 0x1400202d8
vfprintf 0x1400202e0