Analysis
-
max time kernel
135s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27-10-2024 16:20
Static task
static1
Behavioral task
behavioral1
Sample
A9ZFW_file.exe
Resource
win7-20241010-en
General
-
Target
A9ZFW_file.exe
-
Size
1.8MB
-
MD5
5a13a0fa7c0983274d34fb5499aa2a8b
-
SHA1
cdf4e14e103ef119c0122cadb01abca1460827a9
-
SHA256
5ccc7cf886a54dfc66eac92fc4cb4acc8cfc5069ca3912abb4f8801831bf1fdc
-
SHA512
5cbc92b720ba806196b312f4ef319cc70c728bb5be90e84d8eb3773d2a144feb0da476d7b8ab7f9d68168bb725bddb1a57857c4b15dbac8b59702d06dc4be6e5
-
SSDEEP
49152:snaDFK4Arc4lvxP0xdysBnb/Quo0PTY0G:s8FK4d4mcsdoQw
Malware Config
Extracted
stealc
puma
http://185.215.113.206
-
url_path
/e2b1563c6670f193.php
Signatures
-
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ A9ZFW_file.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion A9ZFW_file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion A9ZFW_file.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation A9ZFW_file.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine A9ZFW_file.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1056 A9ZFW_file.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A9ZFW_file.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 A9ZFW_file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString A9ZFW_file.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2640 timeout.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1056 A9ZFW_file.exe 1056 A9ZFW_file.exe 1056 A9ZFW_file.exe 1056 A9ZFW_file.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1056 wrote to memory of 3472 1056 A9ZFW_file.exe 89 PID 1056 wrote to memory of 3472 1056 A9ZFW_file.exe 89 PID 1056 wrote to memory of 3472 1056 A9ZFW_file.exe 89 PID 3472 wrote to memory of 2640 3472 cmd.exe 91 PID 3472 wrote to memory of 2640 3472 cmd.exe 91 PID 3472 wrote to memory of 2640 3472 cmd.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\A9ZFW_file.exe"C:\Users\Admin\AppData\Local\Temp\A9ZFW_file.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\A9ZFW_file.exe" & del "C:\ProgramData\*.dll"" & exit2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Windows\SysWOW64\timeout.exetimeout /t 53⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2640
-
-