Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
05-08-2024 13:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
Informations.txt.exe
Resource
win7-20240704-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
Informations.txt.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
Informations.txt.exe
-
Size
26KB
-
MD5
c43fa1b082302f3b8e01d77fb95c78c6
-
SHA1
27609564e9f83b02aff9e7dc1b44f5d6063c46ba
-
SHA256
130e9e8849b77a47b3d6f5201e55db8117b71c1b0530eec25cc24605e8ad1e42
-
SHA512
095df280d357e6ff0f843b868cc17b8b1dfb428a07d1718f56a469d7f4b69df8f73cc39c83fc182015c8bdb932c828fd169ef1a09386995490014354498cd0a1
-
SSDEEP
768:QTGiVlYv8RSiHTfsuDuso8MHMt+wVupKqh6nZzY:qjI8RSiH7suDuq9PVuUqhs
Score
7/10
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unexpected DNS network traffic destination 54 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 212.185.253.70 Destination IP 194.25.2.130 Destination IP 194.25.2.129 Destination IP 194.25.2.129 Destination IP 212.7.128.165 Destination IP 212.185.252.73 Destination IP 193.193.144.12 Destination IP 194.25.2.129 Destination IP 194.25.2.129 Destination IP 212.185.252.73 Destination IP 194.25.2.129 Destination IP 212.7.128.162 Destination IP 212.185.252.73 Destination IP 212.185.253.70 Destination IP 212.185.252.136 Destination IP 194.25.2.130 Destination IP 194.25.2.130 Destination IP 194.25.2.129 Destination IP 194.25.2.129 Destination IP 212.185.252.73 Destination IP 195.20.224.234 Destination IP 217.5.97.137 Destination IP 217.5.97.137 Destination IP 212.185.253.70 Destination IP 212.185.252.73 Destination IP 217.5.97.137 Destination IP 212.185.252.136 Destination IP 195.20.224.234 Destination IP 212.185.252.73 Destination IP 212.185.253.70 Destination IP 217.5.97.137 Destination IP 217.5.97.137 Destination IP 195.20.224.234 Destination IP 193.193.144.12 Destination IP 212.185.252.73 Destination IP 212.185.252.136 Destination IP 212.185.252.136 Destination IP 212.7.128.162 Destination IP 194.25.2.129 Destination IP 212.185.252.73 Destination IP 212.7.128.162 Destination IP 195.20.224.234 Destination IP 212.185.253.70 Destination IP 193.193.144.12 Destination IP 212.185.252.73 Destination IP 193.193.144.12 Destination IP 212.7.128.162 Destination IP 212.185.252.73 Destination IP 212.185.252.136 Destination IP 195.20.224.234 Destination IP 194.25.2.130 Destination IP 194.25.2.129 Destination IP 194.25.2.130 Destination IP 194.25.2.129 -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Jammer2nd = "C:\\Windows\\Jammer2nd.exe" Informations.txt.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\x: Informations.txt.exe File opened (read-only) \??\e: Informations.txt.exe File opened (read-only) \??\m: Informations.txt.exe File opened (read-only) \??\q: Informations.txt.exe File opened (read-only) \??\r: Informations.txt.exe File opened (read-only) \??\s: Informations.txt.exe File opened (read-only) \??\v: Informations.txt.exe File opened (read-only) \??\h: Informations.txt.exe File opened (read-only) \??\i: Informations.txt.exe File opened (read-only) \??\k: Informations.txt.exe File opened (read-only) \??\p: Informations.txt.exe File opened (read-only) \??\u: Informations.txt.exe File opened (read-only) \??\g: Informations.txt.exe File opened (read-only) \??\n: Informations.txt.exe File opened (read-only) \??\t: Informations.txt.exe File opened (read-only) \??\j: Informations.txt.exe File opened (read-only) \??\l: Informations.txt.exe File opened (read-only) \??\o: Informations.txt.exe File opened (read-only) \??\w: Informations.txt.exe File opened (read-only) \??\y: Informations.txt.exe File opened (read-only) \??\z: Informations.txt.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\pk_zip1.log Informations.txt.exe File created C:\Windows\pk_zip_alg.log Informations.txt.exe File opened for modification C:\Windows\pk_zip_alg.log Informations.txt.exe File created C:\Windows\pk_zip2.log Informations.txt.exe File created C:\Windows\pk_zip3.log Informations.txt.exe File created C:\Windows\pk_zip4.log Informations.txt.exe File created C:\Windows\pk_zip5.log Informations.txt.exe File created C:\Windows\Jammer2nd.exe Informations.txt.exe File opened for modification C:\Windows\Jammer2nd.exe Informations.txt.exe File created C:\Windows\pk_zip8.log Informations.txt.exe File created C:\Windows\pk_zip6.log Informations.txt.exe File created C:\Windows\pk_zip7.log Informations.txt.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Informations.txt.exe