vulturi | fe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c

General

Target

fe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c.exe
Size

3.7MB
MD5

2006a4de01e8d2330d684c44b824ed52
SHA1

21aafc6bf52e3765b9538d5de5eacbe3fbb7d4f8
SHA256

fe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c
SHA512

be80a27e54891d8350116daeb3cc652e5071c904cf22bbad1b45931a3f432ac1b9e4b9f0dca2dd481eb485e19a28e9bcaeb6b1448f2b4abb50de3a90eee54a01

Score

10^/10

vulturi stealer

Malware Config

Extracted

Family

vulturi

C2

http://154.53.33.203:5050/gate

Attributes

c2_encryption_key
testkey
c2_user
root

Signatures

Vulturi
An info stealer written in C# and first seen in January 2021.
stealer vulturi

Vulturi payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1736-63-0x0000000000400000-0x0000000000450000-memory.dmp	family_vulturi
behavioral1/memory/1736-65-0x0000000000400000-0x0000000000450000-memory.dmp	family_vulturi
behavioral1/memory/1736-66-0x0000000000400000-0x0000000000450000-memory.dmp	family_vulturi
behavioral1/memory/1736-67-0x00000000004445BE-mapping.dmp	family_vulturi
behavioral1/memory/1736-69-0x0000000000400000-0x0000000000450000-memory.dmp	family_vulturi
behavioral1/memory/1736-71-0x0000000000400000-0x0000000000450000-memory.dmp	family_vulturi

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1784 cmd.exe

pid	process
1784	cmd.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

fe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c.exe

description	pid	process	target process
PID 1948 set thread context of 1736	1948	fe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c.exe	fe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

648 PING.EXE

pid	process
648	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

fe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c.exe

pid	process
1948	fe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c.exe
1948	fe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

fe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c.exefe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c.exe

description	pid	process
Token: SeDebugPrivilege	1948	fe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c.exe
Token: SeDebugPrivilege	1736	fe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

fe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c.exefe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c.execmd.exe

description	pid	process	target process
PID 1948 wrote to memory of 1736	1948	fe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c.exe	fe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c.exe
PID 1948 wrote to memory of 1736	1948	fe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c.exe	fe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c.exe
PID 1948 wrote to memory of 1736	1948	fe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c.exe	fe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c.exe
PID 1948 wrote to memory of 1736	1948	fe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c.exe	fe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c.exe
PID 1948 wrote to memory of 1736	1948	fe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c.exe	fe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c.exe
PID 1948 wrote to memory of 1736	1948	fe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c.exe	fe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c.exe
PID 1948 wrote to memory of 1736	1948	fe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c.exe	fe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c.exe
PID 1948 wrote to memory of 1736	1948	fe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c.exe	fe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c.exe
PID 1948 wrote to memory of 1736	1948	fe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c.exe	fe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c.exe
PID 1736 wrote to memory of 1784	1736	fe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c.exe	cmd.exe
PID 1736 wrote to memory of 1784	1736	fe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c.exe	cmd.exe
PID 1736 wrote to memory of 1784	1736	fe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c.exe	cmd.exe
PID 1736 wrote to memory of 1784	1736	fe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c.exe	cmd.exe
PID 1784 wrote to memory of 1336	1784	cmd.exe	chcp.com
PID 1784 wrote to memory of 1336	1784	cmd.exe	chcp.com
PID 1784 wrote to memory of 1336	1784	cmd.exe	chcp.com
PID 1784 wrote to memory of 1336	1784	cmd.exe	chcp.com
PID 1784 wrote to memory of 648	1784	cmd.exe	PING.EXE
PID 1784 wrote to memory of 648	1784	cmd.exe	PING.EXE
PID 1784 wrote to memory of 648	1784	cmd.exe	PING.EXE
PID 1784 wrote to memory of 648	1784	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\fe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c.exe
"C:\Users\Admin\AppData\Local\Temp\fe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Users\Admin\AppData\Local\Temp\fe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c.exe
  "C:\Users\Admin\AppData\Local\Temp\fe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\fe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c.exe"
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:1784
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:1336
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1
      4⤵
      Runs ping.exe
      PID:648

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/648-75-0x0000000000000000-mapping.dmp

Download
memory/1336-74-0x0000000000000000-mapping.dmp

Download
memory/1736-69-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1736-65-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1736-71-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1736-67-0x00000000004445BE-mapping.dmp

Download
memory/1736-60-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1736-61-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1736-63-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1736-66-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1784-73-0x0000000000000000-mapping.dmp

Download
memory/1948-57-0x0000000075401000-0x0000000075403000-memory.dmp

Filesize
8KB

Download
memory/1948-59-0x00000000005E0000-0x00000000005E6000-memory.dmp

Filesize
24KB

Download
memory/1948-54-0x00000000008A0000-0x0000000000C5C000-memory.dmp

Filesize
3.7MB

Download
memory/1948-58-0x0000000004630000-0x000000000464A000-memory.dmp

Filesize
104KB

Download
memory/1948-56-0x0000000000840000-0x0000000000856000-memory.dmp

Filesize
88KB

Download
memory/1948-55-0x00000000007C0000-0x00000000007F2000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads