typhon | b942051bc7005005adb60a5dae192214608a85ce473506ccaae10c3d23f851bc

Analysis

max time kernel
128s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2023, 15:47

Target

typhon.exe
Size

2.3MB
MD5

d1d84c844681fe3c672a713c1a3bf52c
SHA1

099ec412993603c50ec87fd27c2315bd87b6fe7e
SHA256

a12933ab47993f5b6d09bec935163c7f077576a8b7b8362e397fe4f1ce4e791c
SHA512

3ee33d27c03f4b1e9977ea8b8905ec070cfc74adf4327dbb81923c2fa2df412d5f9d08b1d7e49c54ccf6333728a8e3c2ae278b79a214bb662854f8019dee25d0
SSDEEP

49152:8UbowEOvygS7/1sHOqJ02nTPFdRPqxMai2TBmCs2Odw+W7SC:8Ucwti78OqJ7TPB2Tc2Ou

Score

10^/10

typhon stealer

Detects Typhon stealer 1 IoCs

stealer

resource	yara_rule
behavioral2/memory/2708-133-0x0000000000820000-0x0000000000A72000-memory.dmp	family_typhon

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	ipinfo.io

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3848	2708	WerFault.exe	85

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2708	typhon.exe

C:\Users\Admin\AppData\Local\Temp\typhon.exe
"C:\Users\Admin\AppData\Local\Temp\typhon.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2708
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 1688
  2⤵
  - Program crash
  PID:3848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2708 -ip 2708
1⤵
PID:960

memory/2708-133-0x0000000000820000-0x0000000000A72000-memory.dmp

Filesize
2.3MB

Download
memory/2708-134-0x0000000002F70000-0x0000000002F80000-memory.dmp

Filesize
64KB

Download
memory/2708-135-0x0000000002F70000-0x0000000002F80000-memory.dmp

Filesize
64KB

Download