vulturi | fe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c

General

Target

fe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c.exe
Size

3.7MB
MD5

2006a4de01e8d2330d684c44b824ed52
SHA1

21aafc6bf52e3765b9538d5de5eacbe3fbb7d4f8
SHA256

fe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c
SHA512

be80a27e54891d8350116daeb3cc652e5071c904cf22bbad1b45931a3f432ac1b9e4b9f0dca2dd481eb485e19a28e9bcaeb6b1448f2b4abb50de3a90eee54a01

Score

10^/10

vulturi stealer

Malware Config

Extracted

Family

vulturi

C2

http://154.53.33.203:5050/gate

Attributes

c2_encryption_key
testkey
c2_user
root

Signatures

Vulturi
An info stealer written in C# and first seen in January 2021.
stealer vulturi

Vulturi payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/404-138-0x00000000009C0000-0x0000000000A10000-memory.dmp	family_vulturi

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	fe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

fe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c.exe

description	pid	process	target process
PID 2124 set thread context of 404	2124	fe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c.exe	fe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1680 PING.EXE

pid	process
1680	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

fe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c.exe

pid	process
2124	fe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c.exe
2124	fe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

fe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c.exefe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c.exe

description	pid	process
Token: SeDebugPrivilege	2124	fe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c.exe
Token: SeDebugPrivilege	404	fe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

fe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c.exefe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c.execmd.exe

description	pid	process	target process
PID 2124 wrote to memory of 404	2124	fe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c.exe	fe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c.exe
PID 2124 wrote to memory of 404	2124	fe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c.exe	fe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c.exe
PID 2124 wrote to memory of 404	2124	fe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c.exe	fe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c.exe
PID 2124 wrote to memory of 404	2124	fe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c.exe	fe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c.exe
PID 2124 wrote to memory of 404	2124	fe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c.exe	fe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c.exe
PID 2124 wrote to memory of 404	2124	fe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c.exe	fe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c.exe
PID 2124 wrote to memory of 404	2124	fe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c.exe	fe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c.exe
PID 2124 wrote to memory of 404	2124	fe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c.exe	fe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c.exe
PID 404 wrote to memory of 1460	404	fe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c.exe	cmd.exe
PID 404 wrote to memory of 1460	404	fe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c.exe	cmd.exe
PID 404 wrote to memory of 1460	404	fe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c.exe	cmd.exe
PID 1460 wrote to memory of 2916	1460	cmd.exe	chcp.com
PID 1460 wrote to memory of 2916	1460	cmd.exe	chcp.com
PID 1460 wrote to memory of 2916	1460	cmd.exe	chcp.com
PID 1460 wrote to memory of 1680	1460	cmd.exe	PING.EXE
PID 1460 wrote to memory of 1680	1460	cmd.exe	PING.EXE
PID 1460 wrote to memory of 1680	1460	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\fe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c.exe
"C:\Users\Admin\AppData\Local\Temp\fe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Users\Admin\AppData\Local\Temp\fe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c.exe
  "C:\Users\Admin\AppData\Local\Temp\fe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:404
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\fe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1460
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:2916
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1
      4⤵
      Runs ping.exe
      PID:1680

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fe3868de44639e4db971bc2600cdcd55c09e1500a1e9a3cb7a8d22f1867c795c.exe.log

Filesize
1KB

MD5
8a6c7d7634167e5fa31a233d842387d5

SHA1
36753fa11ce5ea4cf884340cb58f4f821f37409d

SHA256
c8b08023b412625895878fd43f335f8cb38a77983d1c92eb3c3eeabd2ffb6f43

SHA512
6f0a5ab90a7bf3dfca908ca76dbffac9c5b58f16b0110d7c8ef7a4068f47eabbc72c2daa99edc513b3890366f55b6bd9e6233f577eba1d1d6a234ac27e38367e

Download Submit
memory/404-136-0x0000000000000000-mapping.dmp

Download
memory/404-138-0x00000000009C0000-0x0000000000A10000-memory.dmp

Filesize
320KB

Download
memory/404-137-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1460-139-0x0000000000000000-mapping.dmp

Download
memory/1680-142-0x0000000000000000-mapping.dmp

Download
memory/2124-135-0x00000000097B0000-0x00000000097D2000-memory.dmp

Filesize
136KB

Download
memory/2124-134-0x00000000065A0000-0x00000000065AA000-memory.dmp

Filesize
40KB

Download
memory/2124-133-0x0000000005AE0000-0x0000000005B7C000-memory.dmp

Filesize
624KB

Download
memory/2124-132-0x0000000005A40000-0x0000000005AD2000-memory.dmp

Filesize
584KB

Download
memory/2124-130-0x0000000000C40000-0x0000000000FFC000-memory.dmp

Filesize
3.7MB

Download
memory/2124-131-0x0000000005FF0000-0x0000000006594000-memory.dmp

Filesize
5.6MB

Download
memory/2916-141-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads