Analysis
-
max time kernel
73s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
27-09-2022 13:55
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/StevenHuerta/furry-lobster/raw/main/download.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
https://github.com/StevenHuerta/furry-lobster/raw/main/download.exe
Resource
win10v2004-20220812-en
General
-
Target
https://github.com/StevenHuerta/furry-lobster/raw/main/download.exe
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
download.exedownload.exepid process 2004 download.exe 2000 download.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\_MEI20042\python310.dll upx \Users\Admin\AppData\Local\Temp\_MEI20042\python310.dll upx behavioral1/memory/2000-64-0x000007FEF69B0000-0x000007FEF6E1F000-memory.dmp upx -
Loads dropped DLL 2 IoCs
Processes:
iexplore.exedownload.exepid process 1128 iexplore.exe 2000 download.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Detects Pyinstaller 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z4TAQ562\download.exe.zxdgoa2.partial pyinstaller \Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z4TAQ562\download.exe pyinstaller C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z4TAQ562\download.exe pyinstaller C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z4TAQ562\download.exe pyinstaller -
Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
Processes:
iexplore.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PhishingFilter iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 30766ae278d2d801 iexplore.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1ACB13E1-3E6C-11ED-9201-42465D836E7B} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "371051930" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
iexplore.exepid process 1128 iexplore.exe 1128 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 1128 iexplore.exe 1128 iexplore.exe 1720 IEXPLORE.EXE 1720 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
iexplore.exedownload.exedescription pid process target process PID 1128 wrote to memory of 1720 1128 iexplore.exe IEXPLORE.EXE PID 1128 wrote to memory of 1720 1128 iexplore.exe IEXPLORE.EXE PID 1128 wrote to memory of 1720 1128 iexplore.exe IEXPLORE.EXE PID 1128 wrote to memory of 1720 1128 iexplore.exe IEXPLORE.EXE PID 1128 wrote to memory of 2004 1128 iexplore.exe download.exe PID 1128 wrote to memory of 2004 1128 iexplore.exe download.exe PID 1128 wrote to memory of 2004 1128 iexplore.exe download.exe PID 2004 wrote to memory of 2000 2004 download.exe download.exe PID 2004 wrote to memory of 2000 2004 download.exe download.exe PID 2004 wrote to memory of 2000 2004 download.exe download.exe
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://github.com/StevenHuerta/furry-lobster/raw/main/download.exe1⤵
- Loads dropped DLL
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1128 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z4TAQ562\download.exe"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z4TAQ562\download.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z4TAQ562\download.exe"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z4TAQ562\download.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD561c111813d85b9182699b0d6b2a42f75
SHA1da3e20a4d946d373ba72df4e69e2a6e7f6ee4f3d
SHA2568024d0672379f6f88e2a7f701de3ba74d00d224ba2f7f1133dc1a31f4d661510
SHA512f57528d6975712fa5c66c727aa5adfa9f92f34b189bcec3ffccd8108ae03bf355308ff1803bdd215b01e1923d14623e34364632a413646062e59c2d539d0bfce
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z4TAQ562\download.exeFilesize
21.2MB
MD5880f4f29ad4e503769dbc00cac987d47
SHA1e18ff8cf9d7a5d45e7d9e4b9d319aed51087a4b4
SHA25614c4d37227ae4820cbc1b386abd904ca50304b3ffc82f31dac7851b46d5fef2f
SHA5126e64ac17a2eaf1e36b6151ee839045ce83e10ca59e81a156206adbd90e29726e4cb18ec4d0699d6295494af0e780882599f43702141b1445a8329da8db0a041f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z4TAQ562\download.exeFilesize
21.2MB
MD5880f4f29ad4e503769dbc00cac987d47
SHA1e18ff8cf9d7a5d45e7d9e4b9d319aed51087a4b4
SHA25614c4d37227ae4820cbc1b386abd904ca50304b3ffc82f31dac7851b46d5fef2f
SHA5126e64ac17a2eaf1e36b6151ee839045ce83e10ca59e81a156206adbd90e29726e4cb18ec4d0699d6295494af0e780882599f43702141b1445a8329da8db0a041f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z4TAQ562\download.exe.zxdgoa2.partialFilesize
21.2MB
MD5880f4f29ad4e503769dbc00cac987d47
SHA1e18ff8cf9d7a5d45e7d9e4b9d319aed51087a4b4
SHA25614c4d37227ae4820cbc1b386abd904ca50304b3ffc82f31dac7851b46d5fef2f
SHA5126e64ac17a2eaf1e36b6151ee839045ce83e10ca59e81a156206adbd90e29726e4cb18ec4d0699d6295494af0e780882599f43702141b1445a8329da8db0a041f
-
C:\Users\Admin\AppData\Local\Temp\_MEI20042\python310.dllFilesize
1.5MB
MD5fd06363dde36c2a936fa551cac2e9a02
SHA1832464285b0ea7e08f8a82b0beea17c213b89d76
SHA256aa8225957264a0e04d219105fb7313a09ea536978ae23479649a3f81a110e976
SHA5123df9b8a8ebe7d3232cedec043aa31e761470152b1a88c1bb0a4c6f484a96579c05faecbfa2e9d123b68ac905fe1e78fd2df78435172e524c3010aa8ac8438cbc
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\K5PMPL6X.txtFilesize
598B
MD5bd1d2b6adde58b9805270fa1c20cad67
SHA1ee2822149a5f04c19bdecd1454276c2da2d91222
SHA2567e397ce970677ee47a123794b5b31eab19120b2730ad65456ddc8ce26404c0f5
SHA51201ac0fa58aa9d87336e7833234be0d9301f9679f947c1e0e0e9f31acb35ca9a799b163aa3aed2e195cbea7e7828b1c665a0763936601adc4ca75413df0b916e4
-
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z4TAQ562\download.exeFilesize
21.2MB
MD5880f4f29ad4e503769dbc00cac987d47
SHA1e18ff8cf9d7a5d45e7d9e4b9d319aed51087a4b4
SHA25614c4d37227ae4820cbc1b386abd904ca50304b3ffc82f31dac7851b46d5fef2f
SHA5126e64ac17a2eaf1e36b6151ee839045ce83e10ca59e81a156206adbd90e29726e4cb18ec4d0699d6295494af0e780882599f43702141b1445a8329da8db0a041f
-
\Users\Admin\AppData\Local\Temp\_MEI20042\python310.dllFilesize
1.5MB
MD5fd06363dde36c2a936fa551cac2e9a02
SHA1832464285b0ea7e08f8a82b0beea17c213b89d76
SHA256aa8225957264a0e04d219105fb7313a09ea536978ae23479649a3f81a110e976
SHA5123df9b8a8ebe7d3232cedec043aa31e761470152b1a88c1bb0a4c6f484a96579c05faecbfa2e9d123b68ac905fe1e78fd2df78435172e524c3010aa8ac8438cbc
-
memory/2000-59-0x0000000000000000-mapping.dmp
-
memory/2000-64-0x000007FEF69B0000-0x000007FEF6E1F000-memory.dmpFilesize
4.4MB
-
memory/2004-56-0x0000000000000000-mapping.dmp
-
memory/2004-58-0x000007FEFC211000-0x000007FEFC213000-memory.dmpFilesize
8KB