Overview

overview

10

Static

static

10

4417195f41...b6.exe

windows7_x64

10

4417195f41...b6.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    146s
  • max time network
    158s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    09-03-2022 07:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4417195f416e6bd019c0982978bf1f00c0c848e5ac2e020f278629bbe21266b6.exe

  • Size

    494KB

  • MD5

    d01656def63636c082785db6d61fb415

  • SHA1

    96102ea313063db1179792d65cd15af877d2f5d0

  • SHA256

    4417195f416e6bd019c0982978bf1f00c0c848e5ac2e020f278629bbe21266b6

  • SHA512

    1e27c2b2bacac3e6b9994c4de8bef20d9af1b783d668cfa8896bc7822c739e969dba64db0629a245398a0bb324575f1009bca6e51fbf0701fe1dea798d68edc7

Score
10/10
jesterads555mancollectionspywarestealer

Malware Config

Extracted

Family

jester

Botnet

ads555man

C2

http://jesterdcuxzbey4xvlwwheoecpltru5be2mzuk4w7a7nrhckdjjhrbyd.onion/report/ads555man

https://api.anonfiles.com/upload?token=d26d620842507144
Mutex

efbb42d7-d0db-4f16-a194-3d9d9d1fc654

Attributes
  • license_key

    65EEBAF23D4744267D131CD5BA37E706

Signatures

  • Jester

    Jester is an information stealer malware written in C#.

    stealerjester
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies system certificate store 2 TTPs 4 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4417195f416e6bd019c0982978bf1f00c0c848e5ac2e020f278629bbe21266b6.exe
    "C:\Users\Admin\AppData\Local\Temp\4417195f416e6bd019c0982978bf1f00c0c848e5ac2e020f278629bbe21266b6.exe"
    1⤵
    • Accesses Microsoft Outlook profiles
    • Checks processor information in registry
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • outlook_office_path
    • outlook_win_path
    PID:1264
    • C:\Windows\system32\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:984
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:920
        • C:\Windows\system32\netsh.exe
          netsh wlan show profile
          3⤵
            PID:824
          • C:\Windows\system32\findstr.exe
            findstr All
            3⤵
              PID:1716

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/824-58-0x000007FEFB531000-0x000007FEFB533000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1264-55-0x000007FEF4D40000-0x000007FEF572C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/1264-56-0x0000000000250000-0x000000000028E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/1264-57-0x000000001ABE0000-0x000000001ABE2000-memory.dmp

          Filesize

          8KB

          Download