Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
21/08/2023, 07:26
Static task
static1
Behavioral task
behavioral1
Sample
2023080181301512300.exe
Resource
win7-20230712-en
General
-
Target
2023080181301512300.exe
-
Size
654KB
-
MD5
211cc9065649db3cd6d2b27b60904f62
-
SHA1
6c724039b6995607dee6d5d6a48b06c806eb355c
-
SHA256
fe8fe2d1a57f344afaebc018a90acfd787b897b2a5baffd045980ff7a5c00bc3
-
SHA512
e9b318ebaaf9b7f69e94521a3554732eade544b6d80c11a3164eca1f14efea35c57aa402081e1db02e01aed9cb8c5528a03623d7418bcb517ac19bf571f6b67d
-
SSDEEP
12288:3W23/gPrk6AQRxwZlOK1q3hfwqrSg/b596cBs2yov2QdOBu5p/I:dwrk6VqOK1q3hfzSg/j6cjyC/dOBu5pQ
Malware Config
Signatures
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 35 api.ipify.org 36 api.ipify.org -
Suspicious behavior: EnumeratesProcesses 58 IoCs
pid Process 4004 2023080181301512300.exe 4004 2023080181301512300.exe 4004 2023080181301512300.exe 4004 2023080181301512300.exe 4004 2023080181301512300.exe 4004 2023080181301512300.exe 4004 2023080181301512300.exe 4004 2023080181301512300.exe 4004 2023080181301512300.exe 4004 2023080181301512300.exe 4004 2023080181301512300.exe 4004 2023080181301512300.exe 4004 2023080181301512300.exe 4004 2023080181301512300.exe 4004 2023080181301512300.exe 4004 2023080181301512300.exe 4004 2023080181301512300.exe 4004 2023080181301512300.exe 4004 2023080181301512300.exe 4004 2023080181301512300.exe 4004 2023080181301512300.exe 4004 2023080181301512300.exe 4004 2023080181301512300.exe 4004 2023080181301512300.exe 4004 2023080181301512300.exe 4004 2023080181301512300.exe 4004 2023080181301512300.exe 4004 2023080181301512300.exe 4004 2023080181301512300.exe 4004 2023080181301512300.exe 4004 2023080181301512300.exe 4004 2023080181301512300.exe 4004 2023080181301512300.exe 4004 2023080181301512300.exe 4004 2023080181301512300.exe 4004 2023080181301512300.exe 4004 2023080181301512300.exe 4004 2023080181301512300.exe 4004 2023080181301512300.exe 4004 2023080181301512300.exe 4004 2023080181301512300.exe 4004 2023080181301512300.exe 4004 2023080181301512300.exe 4004 2023080181301512300.exe 4004 2023080181301512300.exe 4004 2023080181301512300.exe 4004 2023080181301512300.exe 4004 2023080181301512300.exe 4004 2023080181301512300.exe 4004 2023080181301512300.exe 4004 2023080181301512300.exe 4004 2023080181301512300.exe 4004 2023080181301512300.exe 4004 2023080181301512300.exe 4004 2023080181301512300.exe 4004 2023080181301512300.exe 4004 2023080181301512300.exe 4004 2023080181301512300.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4004 2023080181301512300.exe