Analysis
-
max time kernel
140s -
max time network
131s -
platform
windows10-1703_x64 -
resource
win10-20231023-en -
resource tags
arch:x64arch:x86image:win10-20231023-enlocale:en-usos:windows10-1703-x64system -
submitted
23-10-2023 16:41
Static task
static1
1 signatures
General
-
Target
b5b9d5725aa9ad9330523f70aa467e27ac2c0b6ec34f993393b30afea703dd48.exe
-
Size
1.4MB
-
MD5
c6bd4410a4201fd49a8d399f10dd8ecf
-
SHA1
3b9b4c490fc80d4ed7d1c9c7f8dafc19cb7764b6
-
SHA256
b5b9d5725aa9ad9330523f70aa467e27ac2c0b6ec34f993393b30afea703dd48
-
SHA512
5ddd989afc6ff64dbf03466a219e3ba71906939c74c8833b20bb70bd86c0a28d45e621a15a4a6ec09071f55c930b42e2a64877135a31c9f5ed2e09e5cda0e093
-
SSDEEP
12288:bRgcdrhCHwfbv7rHMUtXe44Lzynevtxn+9WXH3ML:bmqewfbv7IwOlLzynevtxmWXH8
Malware Config
Extracted
Family
stealc
C2
http://tetromask.site
Attributes
-
url_path
/b5c586aec2e1004c.php
rc4.plain
Signatures
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 4 IoCs
pid pid_target Process procid_target 2596 2820 WerFault.exe 70 212 2820 WerFault.exe 70 5056 2820 WerFault.exe 70 2372 2820 WerFault.exe 70 -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 b5b9d5725aa9ad9330523f70aa467e27ac2c0b6ec34f993393b30afea703dd48.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString b5b9d5725aa9ad9330523f70aa467e27ac2c0b6ec34f993393b30afea703dd48.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2820 b5b9d5725aa9ad9330523f70aa467e27ac2c0b6ec34f993393b30afea703dd48.exe 2820 b5b9d5725aa9ad9330523f70aa467e27ac2c0b6ec34f993393b30afea703dd48.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b5b9d5725aa9ad9330523f70aa467e27ac2c0b6ec34f993393b30afea703dd48.exe"C:\Users\Admin\AppData\Local\Temp\b5b9d5725aa9ad9330523f70aa467e27ac2c0b6ec34f993393b30afea703dd48.exe"1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2820 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 12122⤵
- Program crash
PID:2596
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 12522⤵
- Program crash
PID:212
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 12082⤵
- Program crash
PID:5056
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 12402⤵
- Program crash
PID:2372
-