Malware Analysis Report

2025-01-19 05:52

Sample ID 231218-vpk1jsddd6
Target Insomnia.Core-8.4.5.exe
SHA256 71f39570512da5614436bdff0536deadfabbbfd7d0ad8b92ed85d588d231a01a
Tags
irata infostealer rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

71f39570512da5614436bdff0536deadfabbbfd7d0ad8b92ed85d588d231a01a

Threat Level: Known bad

The file Insomnia.Core-8.4.5.exe was found to be: Known bad.

Malicious Activity Summary

irata infostealer rat trojan

Irata

Irata payload

Executes dropped EXE

Loads dropped DLL

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-18 17:10

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-18 17:09

Reported

2023-12-18 17:45

Platform

win10-20231215-en

Max time kernel

1211s

Max time network

1600s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Insomnia.Core-8.4.5.exe"

Signatures

Irata

trojan infostealer rat irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3320 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\Insomnia.Core-8.4.5.exe C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
PID 3320 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\Insomnia.Core-8.4.5.exe C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
PID 3320 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\Insomnia.Core-8.4.5.exe C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
PID 220 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe C:\Users\Admin\AppData\Local\insomnia\app-8.4.5\Insomnia.exe
PID 220 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe C:\Users\Admin\AppData\Local\insomnia\app-8.4.5\Insomnia.exe
PID 5056 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\insomnia\app-8.4.5\Insomnia.exe C:\Users\Admin\AppData\Local\insomnia\app-8.4.5\Insomnia.exe
PID 5056 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\insomnia\app-8.4.5\Insomnia.exe C:\Users\Admin\AppData\Local\insomnia\app-8.4.5\Insomnia.exe
PID 5056 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\insomnia\app-8.4.5\Insomnia.exe C:\Users\Admin\AppData\Local\insomnia\Update.exe
PID 5056 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\insomnia\app-8.4.5\Insomnia.exe C:\Users\Admin\AppData\Local\insomnia\Update.exe
PID 5056 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\insomnia\app-8.4.5\Insomnia.exe C:\Users\Admin\AppData\Local\insomnia\Update.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Insomnia.Core-8.4.5.exe

"C:\Users\Admin\AppData\Local\Temp\Insomnia.Core-8.4.5.exe"

C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

"C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install .

C:\Users\Admin\AppData\Local\insomnia\app-8.4.5\Insomnia.exe

"C:\Users\Admin\AppData\Local\insomnia\app-8.4.5\Insomnia.exe" --squirrel-install 8.4.5

C:\Users\Admin\AppData\Local\insomnia\app-8.4.5\Insomnia.exe

C:\Users\Admin\AppData\Local\insomnia\app-8.4.5\Insomnia.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\Insomnia /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\Insomnia\Crashpad --url=https://f.a.k/e --annotation=_productName=Insomnia --annotation=_version=8.4.5 --annotation=plat=Win64 --annotation=prod=Electron --annotation=ver=27.0.3 --initial-client-data=0x4d4,0x4d8,0x4dc,0x44c,0x4e0,0x7ff7e04b79e0,0x7ff7e04b79f0,0x7ff7e04b7a00

C:\Users\Admin\AppData\Local\insomnia\Update.exe

C:\Users\Admin\AppData\Local\insomnia\Update.exe --createShortcut=Insomnia.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 91.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

MD5 e5ed80c2176cb187df060f127395883e
SHA1 7b76926286b06c7167d078fcda9381aef874aaee
SHA256 9eabd782e197be01fc518a40bdec934c2d1a2a09af3d80153b755f8f03aba59f
SHA512 3aae310481f4469a58e3eada5898d1dac40577b013ec2ddeb86959805ec6aa07ad24bb8c7e81b4a432af187f7f6950af0821294985ee256137a66741f303240f

C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

MD5 4a5dbd3d6263eca75561a21b98aa4353
SHA1 9308061daf870e2c3b002c5b5ba81556c6e03873
SHA256 19a9ed41a69c74f130f53572aa1b07b1fa35d93a408dcf9d3f16f0fd72dd1e69
SHA512 1741d133badccedeedc68079e1f6dcaf116bad58b85292031da2759ca0648416054d5806edcbf0910a276a95a76c4b21d2465dd1d994a068a1db5ee47632bd11

memory/220-7-0x0000000000C80000-0x0000000000E44000-memory.dmp

memory/220-8-0x00000000730B0000-0x000000007379E000-memory.dmp

memory/220-9-0x00000000056B0000-0x00000000056C0000-memory.dmp

C:\Users\Admin\AppData\Local\SquirrelTemp\RELEASES

MD5 f458fc47d7f83c6498c7712cfc2a2564
SHA1 168c4619b60e571aecfe4776b1bc7c061e708d7b
SHA256 3639150a76d9517309f8e71ce28f53dd0efdb04dc6745c9aff443faaa0f3394f
SHA512 6315468bcf332109fc1aa9d4a978da02145d3fe2c8cc970a871b0de4247b08d4806d8ee727ac2e6cd5a88b0750bd3daa5e2676468c48fbae6f4e30d039fe5b6f

C:\Users\Admin\AppData\Local\SquirrelTemp\background.gif

MD5 90c66f6333edc7f15aa2f183b2082f15
SHA1 744d5df7023433c4074a2770f70a72d652f154b2
SHA256 65583541ba1a320a783aef7798ddee7dda68385103f9c3b50da403003d2de138
SHA512 3b15ca5ce87f0e05811938193aef797c9979ecebd7085510ad127a0a956c09c5eb862bc7aa5066403adcaf9b460096ec5f95ca961db585c562595212daf1be05

C:\Users\Admin\AppData\Local\SquirrelTemp\insomnia-8.4.5-full.nupkg

MD5 d4945248c78ebdd112447d2a999136db
SHA1 80794c7621cd1fa3122cbe8aff66bfe51338d887
SHA256 98d8d801e4bd32ca64ba5c57cd3555474ad7981157a4a7bba18051eb2d6b01ac
SHA512 c97b46aa8a78e68269bfa3c40128d0fefd68bc800cd7455049226d024085dfd3f64ad5ada31b616791eeca92205e36d1cc773103685bf0b370d99ccf5ab20d4b

memory/220-16-0x000000000A760000-0x000000000A798000-memory.dmp

memory/220-18-0x00000000056B0000-0x00000000056C0000-memory.dmp

C:\Users\Admin\AppData\Local\insomnia\packages\insomnia-8.4.5-full.nupkg

MD5 9b320419f5ed3b1665c363a9060160c2
SHA1 1478a96b31a21d9ebcd81d2d2156862cd414d685
SHA256 6dc9f1912c6d55bfd05b1bf4ef7f67b80e51da56b133848df7e1de99701cba09
SHA512 081a63f264417f172ac1d90722521eb052c44e34861fe385ce3d44eed8b75e3f9d9d618a5430bb0a6ec1f55267f30dae6eee9b5de9a7218548523c5774270ea5

C:\Users\Admin\AppData\Local\insomnia\app-8.4.5\Insomnia.exe

MD5 ab337de05780ffd738900490287cb1e2
SHA1 d6aeb0666dfedacda0ec1db36f3d7adf27c32682
SHA256 029a717cf2761a49d5ac0b0c6edd05b231f2d7dca213404a68cf7227b1bf43a9
SHA512 9419861946f5e94cf7d631f0e10ff29890bd4780ea8259b310a1549fd99fc4160200c3b692239c7fbd1eb3dd1c572e41fb71760581beef4f2a1069ecdcab0ce6

C:\Users\Admin\AppData\Local\insomnia\app-8.4.5\ffmpeg.dll

MD5 c121e3bb53b032edf463e46a532c608d
SHA1 442f6f5ce709edcd5aab1a09f3cb61816b67223e
SHA256 e86df2f9096533401042ffbfa26c19872fb7e8b1a76e7121894d98afe9ce7410
SHA512 ee34ec2f91bac3da8324eb598807f9ed2d317f5630de546a4a20aa15bbaed6b86e47b48955582714bf17f86b49289a2ee2a0499127948bcbbc758f54326be211

C:\Users\Admin\AppData\Local\insomnia\app-8.4.5\v8_context_snapshot.bin

MD5 60eb166778169f8ad72ebc8023212403
SHA1 e0f23610fa2274a6b4ca79ee0b17b094b62d4103
SHA256 ffb23f669e2fee9b45c0180ccf7bca07315613bc78c53b264fcfc069de078972
SHA512 cccf3a5d8e24f2250ff87d173eee32743cae212c5baa8ad526bb0f02bfa382bb017dd8e01242a2d6d5c1d27048900eb7e897daa7349826297acde435870775d1

C:\Users\Admin\AppData\Local\insomnia\app-8.4.5\icudtl.dat

MD5 c03995d8d831dfddc4154be80c55d7fb
SHA1 c1a9e447b08df6f16627d1aa3a3ffc169e33e242
SHA256 97dabd33e11ee41dc51af226f12b6a554a28cb07b38cfcdbcccec68e72ce1d5c
SHA512 0b55689bdc9e5aa2c4094524728ffd029320b4333b0c215e33994863175d5aaf3c6b6b78b6ce2cb6fe45339c95df932ab84089c079f75d7562e78c423192131a

\Users\Admin\AppData\Local\insomnia\app-8.4.5\ffmpeg.dll

MD5 b0b1e2191e9c8bbd809693dbb63a61e0
SHA1 602a620ad6018c836e5ded2184637cd5430af87f
SHA256 10d86a853e5739bb9832fefa323b528cd27558e608e1ef25fffb9df3efd17969
SHA512 d872bd2356124a968cd8d2bd1410f2cf227ef02bc2d2279d02897b71ca665c7ce39a21ca0771526115cbffe5a2e5f2da8b783f122ba20caa24f4b17a9d2555d1

C:\Users\Admin\AppData\Local\insomnia\app-8.4.5\Insomnia.exe

MD5 5a415ae35cc928dc127c089c11671b39
SHA1 da17daa1a77168f645a4abcac17bfafee71a5c13
SHA256 9b73187ccb35c7aed85025a3722e6450597e6545403bc9b39c995503de414068
SHA512 33fc3d6fa2e96b156bc791da7311dd7f9cc5e1bf4109730d99263c8e933f7da6b2658613d496019ee784ff36339f982a7fe08936ef5ff038a491f74639ce40a1

C:\Users\Admin\AppData\Local\insomnia\app-8.4.5\resources\app.asar

MD5 94bec7e12335041d2504e57ae85224f2
SHA1 6d54fb6c7fc60f1a4f052df4b62d30dd7a84efe2
SHA256 bc42e7ca618da93d6f20e1440b18fa1e854a524e5ba59da8e9bb4129fbc70d53
SHA512 44c833a9ff3ef2ad4d3d52de41c815a937066d129f8cd7eff9ff2179a7be43016ec3d19bddb983ed442db355a974720fa34dbca1b4a1addb6cc190b39759c36f

C:\Users\Admin\AppData\Local\insomnia\update.exe

MD5 21e86e72a469ab5c786758f50071b2d3
SHA1 3d352fd4f71e8d114995499c676b55c11da0d72c
SHA256 d2e6ffc33d7bb4dbf3e54e90b81ec237eb0fac107fe03aa555b5a03bbd1c24e9
SHA512 f61cf0ce91df177b94a61c2800cfd5a9b9f18ab7a80fcba269f15968100b7e44a35342b0e289eafc98af957c9a195d0a42aba6006cd0d7692194a2cbbc600d49

\Users\Admin\AppData\Local\Temp\644e011c-f06c-45a1-86da-844c52a52e6e.tmp.node

MD5 d5fd7d5e82543312c27fefca1dd900e0
SHA1 da1d35634f909bb977b893d59030cbbfb22fbf41
SHA256 e8b78b031eb5c0db8aa50dfc0046a7fb25eda28535151471701feabd396541a8
SHA512 5099cf6497e240049dd56ce35c013ddf48a61b6b6aed05abf0fb0bb993e7f9737c69163f8755f6a58f172434ae9a89a74ffcff764dc4737a0e8d72c1c940a837

C:\Users\Admin\AppData\Local\insomnia\app-8.4.5\Insomnia.exe

MD5 944d83e9e11f7e9e0aaea47aa3d18d5c
SHA1 db6e30c1b1d6a5433b4c23c2f4a53bb402bbd3bd
SHA256 19e02d7f0f3418ecdbe0104d6ce42137bc9dc958ae998393b59f6470b013df05
SHA512 1e78f8efcf57c4d559055cc6120ccbaf0e4648174233264267cbdab4288971f2c9819823cccb6a722a10ebd9390703fd661f71a06a635ef0223516f36f21dd3e

\Users\Admin\AppData\Local\insomnia\app-8.4.5\ffmpeg.dll

MD5 48e313f686747f266ccf8b905474529a
SHA1 be285d598af1c014e5dc74eba94cd957e4868c03
SHA256 55f0041f95e800838adc243164ac4e94091cb5664e2109cdd209c3bbba00ef93
SHA512 5842912d8d3a80f33c8bf0916b9c7bcd8167a70aea4f4d5b502f87ac3d9879777b94eb4cabc694eb394a69ef394cfe430b2b1bc2d855458afa8b09db69e05c44

memory/4060-133-0x00000000730B0000-0x000000007379E000-memory.dmp

memory/4060-135-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

C:\Users\Admin\AppData\Local\insomnia\packages\insomnia-8.4.5-full.nupkg

MD5 d4f3291210e1f276eb48ce68ea933efa
SHA1 403e0aacbaa4b4f41b2cda1b3e86f6ef3f0ec4c7
SHA256 5b787580e095cc155fc68cc2208ec989301933f5c118dec226ba3ab99fd73037
SHA512 a9cce77fe5291f44d43d214f4f203d5cd1e26c19e798bd4a2bc35d555814202592b074cf63d1a8cc3bbc179619598671f7c4c7c2a5d6f88f40375dede36d117e

C:\Users\Admin\AppData\Local\insomnia\packages\RELEASES

MD5 da8bc3e11c604a3e8211dbafc1d42294
SHA1 194e8f87f2cd34df489aa66a4363510595d969b5
SHA256 1bdf7620a1c54409e1b86c560bc90a015dd3bee1097361d4ae2c07b1a190c6c8
SHA512 ae9dd958546450750410b5a4870c24016873b203cab68b159f4562af91cc40ccddf4abdfc09b764904273d1b9ff325d672bdcc4fb5e50c69275f0c05a66f82ff

memory/4060-137-0x0000000004B30000-0x0000000004B50000-memory.dmp

C:\Users\Admin\AppData\Local\insomnia\Update.exe

MD5 e2becb06eeed069bbb275698e14d4c32
SHA1 79f407b3ad0bbb24f4e84aae4be00425e07425ff
SHA256 659939195df4f209c37b105175d210e1f20965d7c488328da7e7720b8a904588
SHA512 667b1e4ade7bd93392a9a22627b0ad323b65d81eef95fff264ce9fdfa6bf84edb6cf7bbb7542157887937d177cd12e5bfbf34be671afe2507b8d157a28a64b3c

C:\Users\Admin\AppData\Local\insomnia\app-8.4.5\Insomnia.exe

MD5 604ac6c84f2101819803188312b53605
SHA1 0ca098602f217fa6db95b9b0fca607ec14fa534d
SHA256 a23367a1ba5c3293265cf0307650f1e2c1cdd425b33b06ba11a2ca6671495dd4
SHA512 4390f37cdcfdc6bf5867c1fbe9d09a82a458f8ff7427b628997ea400782e26dd27f125d5bad4ceb5cf31858eb9ab47a376b8b41feb9764a3960869a853edd876

C:\Users\Admin\AppData\Local\insomnia\Insomnia.exe

MD5 588bb92da6030957741459902b00b94d
SHA1 bce29ac64141461a535633bee83fe06aa926c76c
SHA256 102a34d39e77fc1c8f7723da06dd251e7cfae2447fb81cd6a33af4243bdc7e56
SHA512 1ef0ea4daa2e2f2d61f8010eb34fbb02208fa6309eec9d784f642d87e1093da2558d6711d8d149320241383a08c48d71d00bd3e1f300a7b3b70490d68087e905

memory/4060-144-0x00000000730B0000-0x000000007379E000-memory.dmp

memory/220-145-0x00000000730B0000-0x000000007379E000-memory.dmp

memory/220-146-0x00000000056B0000-0x00000000056C0000-memory.dmp

memory/220-147-0x00000000056B0000-0x00000000056C0000-memory.dmp