Analysis

  • max time kernel
    53s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08/11/2024, 22:29

General

  • Target

    keygen-step-4.exe

  • Size

    3.4MB

  • MD5

    6fc4f2d665aa1aae0a56ebd4cc6227a7

  • SHA1

    1b998ceba86cd9b87dbbf464fca3008bc5c725ea

  • SHA256

    77acd936a5bd8eb9ae70ca4ac75e5159df48324273baae60854b6fbc412d36d7

  • SHA512

    67048ad418bd35e30671b76951f149e81be58d94e6cbcff4cdc01f19b3bf0ca64103c59451efbf5e519e95a9a126df561ff559f7ee4cc263bfc501e6d0fa5f4e

  • SSDEEP

    98304:SKqyUiTtG/saMpSQwnQXl8LSZ8Z56DXXuDUVJqDI6AHZQTg9:S8usaMpuQXl8LSk5mX4iJBfQs9

Malware Config

Extracted

Family

ffdroider

C2

http://186.2.171.3

Extracted

Family

gcleaner

C2

194.145.227.161

Extracted

Family

privateloader

C2

http://37.0.10.214/proxies.txt

http://37.0.10.244/server.txt

pastebin.com/raw/A7dSG1te

http://wfsdragon.ru/api/setStats.php

31.210.20.251

Signatures

  • Detect Fabookie payload 1 IoCs
  • FFDroider

    Stealer targeting social media platform users first seen in April 2022.

  • FFDroider payload 3 IoCs
  • Fabookie

    Fabookie is facebook account info stealer.

  • Fabookie family
  • Ffdroider family
  • GCleaner

    GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

  • Gcleaner family
  • OnlyLogger

    A tiny loader that uses IPLogger to get its payload.

  • Onlylogger family
  • PrivateLoader

    PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

  • Privateloader family
  • OnlyLogger payload 1 IoCs
  • Executes dropped EXE 13 IoCs
  • Loads dropped DLL 39 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe
    "C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1624
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2672
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe" -a
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2448
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2772
      • C:\Users\Admin\AppData\Local\Temp\chrome3.exe
        "C:\Users\Admin\AppData\Local\Temp\chrome3.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3012
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2664
          • C:\Windows\system32\schtasks.exe
            schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
            5⤵
            • Scheduled Task/Job: Scheduled Task
            PID:2632
        • C:\Users\Admin\AppData\Roaming\services64.exe
          "C:\Users\Admin\AppData\Roaming\services64.exe"
          4⤵
          • Executes dropped EXE
          PID:2968
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
            5⤵
              PID:2416
              • C:\Windows\system32\schtasks.exe
                schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
                6⤵
                • Scheduled Task/Job: Scheduled Task
                PID:2916
            • C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
              "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
              5⤵
                PID:2428
          • C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe
            "C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:1508
          • C:\Users\Admin\AppData\Local\Temp\2.exe
            "C:\Users\Admin\AppData\Local\Temp\2.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2484
          • C:\Users\Admin\AppData\Local\Temp\setup.exe
            "C:\Users\Admin\AppData\Local\Temp\setup.exe"
            3⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            PID:2876
          • C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
            "C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
            3⤵
            • Executes dropped EXE
            PID:1164
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe
          "C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe"
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1512
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe
          "C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe"
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2068
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2068 -s 136
            3⤵
            • Loads dropped DLL
            • Program crash
            PID:1884
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss.exe
          "C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:1712
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
          "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe"
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2932

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\CabA11.tmp

        Filesize

        70KB

        MD5

        49aebf8cbd62d92ac215b2923fb1b9f5

        SHA1

        1723be06719828dda65ad804298d0431f6aff976

        SHA256

        b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

        SHA512

        bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe

        Filesize

        56KB

        MD5

        7126148bfe5ca4bf7e098d794122a9a3

        SHA1

        3fe6be3ee8bf1a0c99139b146913c8c6acd7dd64

        SHA256

        f8c0350d71e5dd14438d477f73915c4845290c7f0620656624722183b76013f5

        SHA512

        0bec6450d1be17489436de7a5186dbcb88089edd4227c3b5484460c9368e5ca0a2d88c385d31989f449a5d8cc347057c80a997682d6c0ed1b9cfcb85c677eb48

      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe

        Filesize

        991KB

        MD5

        f250a9c692088cce4253332a205b1649

        SHA1

        109c79124ce2bda06cab50ea5d97294d13d42b20

        SHA256

        0a6c3a23510f93fcdcb6d5acc53ccccbcc51c68f14b1bcbd758ffbf135f8e882

        SHA512

        80553664f188ae35cef1f89d188fb17df8a490367f8d6fa5f9897115bacf776373905bccd599353add684c7fa6c2554d04cbf1a7f6cc87b299d6c51da33c1b5e

      • C:\Users\Admin\AppData\Local\Temp\TarE54.tmp

        Filesize

        181KB

        MD5

        4ea6026cf93ec6338144661bf1202cd1

        SHA1

        a1dec9044f750ad887935a01430bf49322fbdcb7

        SHA256

        8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

        SHA512

        6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      • C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

        Filesize

        7KB

        MD5

        9910203407b2605107587e954081c575

        SHA1

        8037bfb3b779fbbb3273df4f5c63d15b9589ce95

        SHA256

        07b00c604d6473439dcd16b47cbefa450aad400871cb2215f0814547aca81b49

        SHA512

        ba2c532d16eb259ae1621ac6ab668b4da28b2a842cb7320eee11982e2b835979c1ec6c566e3207e798fd2d0767070a568d2cd32dbb19200572afb2c7b32a68be

      • \Users\Admin\AppData\Local\Temp\2.exe

        Filesize

        8KB

        MD5

        a5bace3c3c2fa1cb766775746a046594

        SHA1

        9998cad5ba39e0be94347fcd2a2affd0c0a25930

        SHA256

        617de4cdc27fb67b299a0d95ff2129d0ea2488040bcfd5f64868a0fab33af7a6

        SHA512

        66f0cb5b820014a8d73bab706de8138d22a4d690d77726ac53b785daf99ed45646c8b0236bf10e209039f78324a63c3ee1c2f7ccf852fa7d579753cb9f659184

      • \Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe

        Filesize

        101KB

        MD5

        13e802bd360e44591d7d23036ce1fd33

        SHA1

        091a58503734848a4716382862526859299ef345

        SHA256

        e24c3eda7673062c9b243a09bc91e608f4d9dcc5de27db025b5ad150ae014f2b

        SHA512

        8bb52a3b0852cc345be7d4b50b19c3778bcae5cb7ee654aced93772bee6fd22d1e87c484d91afb10af040d7c52b0f1e0b60de47a28d8eeea5e3c6afcead6163b

      • \Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe

        Filesize

        1.8MB

        MD5

        8902f8193024fa4187ca1aad97675960

        SHA1

        37a4840c9657205544790c437698b54ca33bfd9d

        SHA256

        95de484851569f225488320d573e398ebc2312b2d85b6c2b255b63b21aebb82f

        SHA512

        c351204604cb24c45ddb26847a22f5487a2942ad2b2361dbd31ce0a308c281be91658907d7fe04b483f053b7f9b0c680cae11361709ba7552f7921e727241938

      • \Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe

        Filesize

        1.6MB

        MD5

        7009fb80a52366b6c2cd8ec052a65791

        SHA1

        db0894463edf3ac11e5ca4b4584e8f10d75810f6

        SHA256

        767c546decf6f669263e4a0a87a0f5d92234e031e9a0de3733fa954a8f3e0255

        SHA512

        26e50e4b3d0b5fe866423b9ae0c02f61882f632fe4a16c05da117c02fae9aea26a6c81458e4b0bc2bda8acd0407565132f8bd6b7d3e828dd90fc280b1f15f079

      • \Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe

        Filesize

        270KB

        MD5

        0388a1ce1bb8c076387b69ffcb3b40ec

        SHA1

        3ec08a53ec024d9be6346440848c37d0e0d7bb80

        SHA256

        448febc4311881856de2c237285907fe9470818e169946b0dbf1362f332e070a

        SHA512

        ea5af764d0373c8b9a5faf6d7094c76c9c321e227713bceecd49df50fa888e8fd04b1dfe16c4b75a8727717582b06383825e5d4317db1b875951ee240edd71d5

      • \Users\Admin\AppData\Local\Temp\RarSFX0\ss.exe

        Filesize

        100KB

        MD5

        9a6071c1a67be3fb247f857fe5903bbf

        SHA1

        4a2e14763c51537e8695014007eceaf391a3f600

        SHA256

        01a9cb71df1d038bbec243ec7f2c1dd12d65a735297469c7f72be80886842e3c

        SHA512

        c862ed8670b48e23b081e1c91280599ffdd963e714665b80553b41540cb3584c823a25f05c75e47eaea1473c687a9ef7c9a219d724d059e5bd77ac6d127f5e68

      • \Users\Admin\AppData\Local\Temp\chrome3.exe

        Filesize

        43KB

        MD5

        4b0d49f7c8712d7a0d44306309f2e962

        SHA1

        5f0a2536f215babccf860c7ccdeaf7055bb59cad

        SHA256

        f996915ce7203dc3661afa686637426fab14c91682ada02054d2f64ce245af60

        SHA512

        50dc00bebdafdc2cc1792a45cab5f13773ff0026c20618eec29f50000261afba65f58cec5d30be0fd5aaea17cac30b97b16be70c6f430987cd10a8488948ee2b

      • \Users\Admin\AppData\Local\Temp\jhuuee.exe

        Filesize

        1.3MB

        MD5

        f9be28007149d38c6ccb7a7ab1fcf7e5

        SHA1

        eba6ac68efa579c97da96494cde7ce063579d168

        SHA256

        5f6fc7b3ebd510eead2d525eb22f80e08d8aeb607bd4ea2bbe2eb4b5afc92914

        SHA512

        8806ff483b8a2658c042e289149e7810e2fb6a72fb72adbf39ed10a41dbab3131e8dfdaca4b4dba62ed767e53d57bd26c4d8005ce0b057606662b9b8ebb83171

      • \Users\Admin\AppData\Local\Temp\setup.exe

        Filesize

        314KB

        MD5

        0ebb4afbb726f3ca17896a0274b78290

        SHA1

        b543a593cfa0cc84b6af0457ccdc27c1b42ea622

        SHA256

        2fd099e9c096efb59756565d50243387d7669d60c2088e842f1f5d9ef297b6d2

        SHA512

        284063f08667af11bc593dcb88f19d2bc6b9fd1e2edf368fdc78f07c9956fa3078673ee7dd7ca349e32cb1f848edfeab3b6a758eac5e5c3d36dc1a8764353d11

      • memory/1508-100-0x00000000002F0000-0x000000000030A000-memory.dmp

        Filesize

        104KB

      • memory/1508-71-0x0000000000240000-0x0000000000260000-memory.dmp

        Filesize

        128KB

      • memory/1512-134-0x0000000000400000-0x0000000000667000-memory.dmp

        Filesize

        2.4MB

      • memory/1512-99-0x0000000000400000-0x0000000000667000-memory.dmp

        Filesize

        2.4MB

      • memory/1512-120-0x0000000000400000-0x0000000000667000-memory.dmp

        Filesize

        2.4MB

      • memory/1512-124-0x0000000000400000-0x0000000000667000-memory.dmp

        Filesize

        2.4MB

      • memory/1624-97-0x0000000003F30000-0x0000000004197000-memory.dmp

        Filesize

        2.4MB

      • memory/1624-96-0x0000000003F30000-0x0000000004197000-memory.dmp

        Filesize

        2.4MB

      • memory/1712-167-0x0000000000160000-0x000000000017E000-memory.dmp

        Filesize

        120KB

      • memory/1712-168-0x00000000001F0000-0x000000000020A000-memory.dmp

        Filesize

        104KB

      • memory/2068-153-0x0000000000400000-0x0000000002B4E000-memory.dmp

        Filesize

        39.3MB

      • memory/2428-193-0x000000013FB20000-0x000000013FB26000-memory.dmp

        Filesize

        24KB

      • memory/2484-70-0x00000000009A0000-0x00000000009A8000-memory.dmp

        Filesize

        32KB

      • memory/2772-45-0x0000000000E70000-0x0000000001046000-memory.dmp

        Filesize

        1.8MB

      • memory/2876-119-0x0000000000400000-0x0000000002B59000-memory.dmp

        Filesize

        39.3MB

      • memory/2968-132-0x000000013F180000-0x000000013F190000-memory.dmp

        Filesize

        64KB

      • memory/3012-69-0x000000013FDE0000-0x000000013FDF0000-memory.dmp

        Filesize

        64KB

      • memory/3012-125-0x0000000000560000-0x000000000056E000-memory.dmp

        Filesize

        56KB