Analysis of recent Swizzor variant (aka) Stealer:


Trojan Swizzor variants having detection since early 2004 and it works by downloading and executing malicious files from the Internet on the infected machine. The primary channel of infection for Swizzor family is the internet. And it is known for stealing of personal data. In this case, our researcher monitored a malicious traffic and spotted the Swizzor binary as the downloaded file.


While monitoring the traffic, we got an alert triggered by suspicious website communication. The suspicious websites are stored in our threat intelligence malicious website list which triggered by our rule.
Our rule picked the communication happened in the following URL:


So we managed to perform incident response activity in the host machine which connects to the malicious URL. We gathered the timeline analysis information from the host machine. During the timeline analysis, we spotted the process puttyupdate459.exe is found in the memory. The sample is taken for malware analysis:
File Hash: d85fa670e482083d83c7cfdea08b65729378b02b2dc31f009350f6385a459809
File Size: 227.5 KB 

Figure 1 Compiled using VC++

We are done with the execution of the specimen in the controlled environment and observer its behavior. The malicious process started querying general information on the file system and registry system.

Figure 2 Execution of malware - loaded in memory and starts querying
Then it creates a thread and which got the exit. That creation of a thread is logged as an event and we checked the properties of the event. 

Figure 3 Thread creation

Figure 4 Thread creation event
This unknown module in the stack appears to be suspicious and didn’t have any file path. The malicious process is creating a file in the temp location and writing the content to the file ‘A45F.bin’.

Figure 5 puttyupdate459.exe queries the computer name details and it creates a file in Temp location
It also queries for the presence of certain registry keys as follows, but they are not found:

puttyupdate459.exe      992         RegOpenKey     HKCU\Software\Classes\AppID\puttyupdate459.exe
NAME NOT FOUND         Desired Access: Read
puttyupdate459.exe      992         RegOpenKey     HKCR\AppID\puttyupdate459.exe          
NAME NOT FOUND         Desired Access: Read

This is due to the fact there will be a parent file which usually registers the entries for the downloaded malware. We open the .bin file in the temp location and it contains the following details:
Figure 6 A45F.bin file in the temp location

It keeps gets incremented the lines ‘LdrLoadFile’ and also we noticed each time iexplorer.exe loaded in the memory and get terminated. Each time the termination happen the increment of lines in bin file at temp location. 

Timeline analysis

With this analysis, we unable to observe complete behavior. So our incident response team run the redline script and collected the analysis session of the infected machine. During the redline analysis, we found the parent file which contains the above malicious URL: 

This malicious URL was used to download the puttyupdate459.exe file. The parent file details are:
SHA256: 21fc447f95143fd8595d364e526bb726d2e3e52983aebe2c1ae5d49d4e6e96f5

Figure 7 Parent file - Ursnif/Swizzor/Password Stealer

The parent file got password stealer, Pws (PSW), Swizzor and Ursnif detection. It is very much clear that our team made better incident response activity and found the file.

Reason for file not detected by AV?

Most of the AV vendors are detecting the parent file (SHA256: 21fc447f95143fd8595d364e526bb726d2e3e52983aebe2c1ae5d49d4e6e96f5) and downloaded file (puttyupdate459.exe). But when we found that the infected network infrastructure didn’t follow many best practices and the AV database where failed in definition update for several weeks. And we also collected their AV logs for log analysis, the AV actually triggered the alert on termination of on-access scan and AV shield processes. 
If they followed the best practices and proper monitoring facility, this infection could be avoided. 

Research and post were done by

IOC details:

  • Judoalmoradi(.)com/LOGOS/puttyupdate45

File Hashes
  • 21fc447f95143fd8595d364e526bb726d2e3e52983aebe2c1ae5d49d4e6e96f5
  • d85fa670e482083d83c7cfdea08b65729378b02b2dc31f009350f6385a459809


Popular Posts