Analysis
-
max time kernel
135s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
07/05/2023, 21:10 UTC
Static task
static1
1 signatures
General
-
Target
b3e0abcc4da87e90dee64295814e432ad46be9ae67cfac687044457283e07a45.exe
-
Size
438KB
-
MD5
6e556d49fbf0274dc4e806399e742733
-
SHA1
77cfe6cc7956083a4479896073b05741534b8e7c
-
SHA256
b3e0abcc4da87e90dee64295814e432ad46be9ae67cfac687044457283e07a45
-
SHA512
6c4c4438c1b44dce28567a7b2cfa4fd3c3972eba835ab600be3c6304692c8a73f9c75268fa02fc119938bbb1620a9fb9f3aae911c3d9b85cc07b6cd11071c4d7
-
SSDEEP
6144:sYpMkLXBVVz9OodL7+kTFsKAF4KJffL9VUjnSnL1gPoQQl:sYL7B30ogKH4XL9ujnEL1E
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 1 IoCs
pid pid_target Process procid_target 4760 4892 WerFault.exe 82 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4892 b3e0abcc4da87e90dee64295814e432ad46be9ae67cfac687044457283e07a45.exe 4892 b3e0abcc4da87e90dee64295814e432ad46be9ae67cfac687044457283e07a45.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4892 b3e0abcc4da87e90dee64295814e432ad46be9ae67cfac687044457283e07a45.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b3e0abcc4da87e90dee64295814e432ad46be9ae67cfac687044457283e07a45.exe"C:\Users\Admin\AppData\Local\Temp\b3e0abcc4da87e90dee64295814e432ad46be9ae67cfac687044457283e07a45.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4892 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 13082⤵
- Program crash
PID:4760
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4892 -ip 48921⤵PID:760
Network
-
Remote address:8.8.8.8:53Request104.219.191.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestjanjackfrs.comIN AResponsejanjackfrs.comIN A176.124.192.196
-
Remote address:8.8.8.8:53Request196.192.124.176.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestapi.ip.sbIN AResponseapi.ip.sbIN CNAMEapi.ip.sb.cdn.cloudflare.netapi.ip.sb.cdn.cloudflare.netIN A104.26.13.31api.ip.sb.cdn.cloudflare.netIN A104.26.12.31api.ip.sb.cdn.cloudflare.netIN A172.67.75.172
-
Remote address:104.26.13.31:443RequestGET /ip HTTP/1.1
Host: api.ip.sb
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: text/plain
Transfer-Encoding: chunked
Connection: keep-alive
vary: Accept-Encoding
Cache-Control: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=yir13o75DCAgTkzmlKcA4IZR8TDVwZXlRQ24aGShMPAZSt9uaUM7BIhCOstugyZG1YI2fUCOFkUMeTiFGvgc25gkiTcPN%2Bh35%2BJjKQIMhUx0Hv7bXskAYgIBZA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Server: cloudflare
CF-RAY: 7c3c73570f4928a1-AMS
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
-
Remote address:8.8.8.8:53Request31.13.26.104.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request123.108.74.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request64.13.109.52.in-addr.arpaIN PTRResponse
-
176.124.192.196:80janjackfrs.comhttpb3e0abcc4da87e90dee64295814e432ad46be9ae67cfac687044457283e07a45.exe759.5kB 15.5kB 518 219
-
104.26.13.31:443https://api.ip.sb/iptls, httpb3e0abcc4da87e90dee64295814e432ad46be9ae67cfac687044457283e07a45.exe756 B 3.9kB 9 8
HTTP Request
GET https://api.ip.sb/ipHTTP Response
200 -
260 B 5
-
322 B 7
-
260 B 5
-
322 B 7
-
322 B 7
-
322 B 7
-
322 B 7
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
73 B 147 B 1 1
DNS Request
104.219.191.52.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
60 B 76 B 1 1
DNS Request
janjackfrs.com
DNS Response
176.124.192.196
-
74 B 134 B 1 1
DNS Request
196.192.124.176.in-addr.arpa
-
55 B 145 B 1 1
DNS Request
api.ip.sb
DNS Response
104.26.13.31104.26.12.31172.67.75.172
-
71 B 133 B 1 1
DNS Request
31.13.26.104.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
123.108.74.40.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
64.13.109.52.in-addr.arpa