observer | 6b1f5e73fbad2351b4183b20fc4626d75d475fb3c95ee538ae5507f61ac7f0c5 | Triage

Analysis

max time kernel
32s
max time network
33s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22/05/2024, 16:02

Sharing

Report Analysis Logs

General

Target

suspect.exe
Size

1.4MB
MD5

eb9b5a9fb84c5eb9527d724cd9c14118
SHA1

d166e843d328dd358ea748c652e3e422fec001a7
SHA256

6b1f5e73fbad2351b4183b20fc4626d75d475fb3c95ee538ae5507f61ac7f0c5
SHA512

26412f140d5f619f17e705568e6b99d2c8c469b83803edd9fad2559298fb7320b9bc4d60b66a4d4880ca75b9f17fefd5a755a18d0d6dbf2d9768bcc97cec8944
SSDEEP

12288:waBBmsOOeuu8AAU5igKjyRM5LZIBFNOdYbJt1vuE:TGB8pw+e6Ioav1G

Score

10^/10

observer stealer

Malware Config

Extracted

Family

observer

C2

http://91.103.252.17:8912

Signatures

Observer
Observer is an infostealer written in C++.
stealer observer

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4836	1612	WerFault.exe	83
4896	1612	WerFault.exe	83

C:\Users\Admin\AppData\Local\Temp\suspect.exe
"C:\Users\Admin\AppData\Local\Temp\suspect.exe"
1⤵
PID:1612
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 292
  2⤵
  - Program crash
  PID:4836
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 300
  2⤵
  - Program crash
  PID:4896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1612 -ip 1612
1⤵
PID:1888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1612 -ip 1612
1⤵
PID:3720

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1612-0-0x0000000000680000-0x0000000000685000-memory.dmp

Filesize
20KB

Download
memory/1612-1-0x0000000000400000-0x0000000000570000-memory.dmp

Filesize
1.4MB

Download