Analysis
-
max time kernel
195s -
max time network
255s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
29-04-2024 04:13
Static task
static1
Behavioral task
behavioral1
Sample
f3811d1e3adf12256e3d60d5f83b8e4066d42de822cdd6da4c522c19737dcaa9.exe
Resource
win7-20240215-en
General
-
Target
f3811d1e3adf12256e3d60d5f83b8e4066d42de822cdd6da4c522c19737dcaa9.exe
-
Size
351KB
-
MD5
8f81cbad65802a563f4c6828ad59e382
-
SHA1
732d20205b2c7879a138bf89bae0d272166d8961
-
SHA256
f3811d1e3adf12256e3d60d5f83b8e4066d42de822cdd6da4c522c19737dcaa9
-
SHA512
072f837658ec1387cd44f9b4119b0fc52a67f8e5a8334c56fbae88de6564b9f65b313dfb473900e41a6989b33d3f02373aaf40f280b826f3f8bfe9251ecb1166
-
SSDEEP
3072:yk6yIlOwVEC7i+lv5e4nAFOkrDJmnKNJT3EfqBDTSIJ47faaV0OJrVZO+zuiGFZ4:KM2ECm+lvc+C5VQyWdGAiQmN8R
Malware Config
Signatures
-
Detect Xehook Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2360-1-0x00000000009C0000-0x00000000009EC000-memory.dmp family_xehook -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 ip-api.com -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 2336 2360 WerFault.exe 72 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
f3811d1e3adf12256e3d60d5f83b8e4066d42de822cdd6da4c522c19737dcaa9.exedescription pid Process Token: SeDebugPrivilege 2360 f3811d1e3adf12256e3d60d5f83b8e4066d42de822cdd6da4c522c19737dcaa9.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f3811d1e3adf12256e3d60d5f83b8e4066d42de822cdd6da4c522c19737dcaa9.exe"C:\Users\Admin\AppData\Local\Temp\f3811d1e3adf12256e3d60d5f83b8e4066d42de822cdd6da4c522c19737dcaa9.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2360 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 16202⤵
- Program crash
PID:2336
-