nightingale | 201453afc1cceb1da21a6a87a6921cb99d843ae93be6fd8c2c84d4e6cf025c97

Resubmissions

18-06-2024 20:09

18-06-2024 19:17

Target

571878c5dbb5200509fddc36d7c01643.exe
Size

194KB
MD5

571878c5dbb5200509fddc36d7c01643
SHA1

85812f73a4857c3dbf52f7f33bde08fae9ac730c
SHA256

201453afc1cceb1da21a6a87a6921cb99d843ae93be6fd8c2c84d4e6cf025c97
SHA512

df6af844fe158ee31988a0f49fc20b2a15a9812fb9cb4fec569900a486e5af4ebff84d6db8229f96175ebee7a114c1285e625320342bb61c8aaee9200e6b8e89
SSDEEP

6144:UsbxzQ/mrGZw/uWJbGF7REKQ1TLRSSXBHDUfp90k:fQ+yZw/CM1/RxXB4fp90k

Score

10^/10

Family

nightingale

80.76.49.148:3999

https://api.telegram.org/bot6813766312:AAGyxmK0E-SiPNsQCpjEIFZJIOhZnrPLxhw/sendMessage?chat_id=6467170572

Nightingale family
nightingale
Nightingale stealer
Nightingale stealer is an information stealer written in C#.
stealer nightingale

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\ms-settings\shell\open\command	571878c5dbb5200509fddc36d7c01643.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\ms-settings	571878c5dbb5200509fddc36d7c01643.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\ms-settings\shell	571878c5dbb5200509fddc36d7c01643.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\ms-settings\shell\open	571878c5dbb5200509fddc36d7c01643.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\ms-settings\shell\open\command\	571878c5dbb5200509fddc36d7c01643.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2944 wrote to memory of 2348	2944	571878c5dbb5200509fddc36d7c01643.exe	28
PID 2944 wrote to memory of 2348	2944	571878c5dbb5200509fddc36d7c01643.exe	28
PID 2944 wrote to memory of 2348	2944	571878c5dbb5200509fddc36d7c01643.exe	28

C:\Users\Admin\AppData\Local\Temp\571878c5dbb5200509fddc36d7c01643.exe
"C:\Users\Admin\AppData\Local\Temp\571878c5dbb5200509fddc36d7c01643.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2944 -s 636
  2⤵
  PID:2348

memory/2944-0-0x000007FEF5F53000-0x000007FEF5F54000-memory.dmp

Filesize
4KB

Download
memory/2944-1-0x0000000000D50000-0x0000000000D7A000-memory.dmp

Filesize
168KB

Download
memory/2944-2-0x000007FEF5F50000-0x000007FEF693C000-memory.dmp

Filesize
9.9MB

Download
memory/2944-3-0x000007FEF5F53000-0x000007FEF5F54000-memory.dmp

Filesize
4KB

Download
memory/2944-4-0x000007FEF5F50000-0x000007FEF693C000-memory.dmp

Filesize
9.9MB

Download