Overview

overview

10

Static

static

10

c831aebefa...96.exe

windows7-x64

10

c831aebefa...96.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-11-2024 12:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c831aebefaf218907d8164288a8249755c47f68b5a6dd223dcef2d150d8df396.exe

  • Size

    21.2MB

  • MD5

    806a6ccce380785faa45512ce603c580

  • SHA1

    78a2936e19f0474f80f73144564e9f24c4559859

  • SHA256

    c831aebefaf218907d8164288a8249755c47f68b5a6dd223dcef2d150d8df396

  • SHA512

    f228fceffc0af944cff9d06058aa690b1f6bcaea252971ac6b33c58e88429b108c2c4189e807c2659f40035160a4fdeacae961704c81a3e1ba8f1739df2d8e9e

  • SSDEEP

    196608:KKopoPyXk3nLRT155J/YJMIYhOFWBe1ZiieX:zoP+dT155lD/ALiie

Score
10/10
ailurophilediscoveryexecutionspywarestealer

Malware Config

Signatures

  • Ailurophile

    Ailurophile is stealer written in Delphi.

    stealerailurophile
  • Ailurophile family
    ailurophile
  • Detects Ailurophile payload 1 IoCs

    Ailurophile is stealer written in Delphi.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Using powershell.exe command.

    execution
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates processes with tasklist 1 TTPs 1 IoCs
    discovery
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c831aebefaf218907d8164288a8249755c47f68b5a6dd223dcef2d150d8df396.exe
    "C:\Users\Admin\AppData\Local\Temp\c831aebefaf218907d8164288a8249755c47f68b5a6dd223dcef2d150d8df396.exe"
    1⤵
    • Modifies system certificate store
    • Suspicious use of WriteProcessMemory
    PID:2052
    • C:\Windows\System32\Wbem\wmic.exe
      wmic path win32_videocontroller get caption
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1544
    • C:\Windows\System32\Wbem\wmic.exe
      wmic os get Caption
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:5032
    • C:\Windows\System32\Wbem\wmic.exe
      wmic os get Version
      2⤵
        PID:1860
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "(Get-Item 'C:\Program Files\Google\Chrome\Application\chrome.exe').VersionInfo.FileVersion"
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:3080
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "(Get-Item 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe').VersionInfo.FileVersion"
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:2580
      • C:\Windows\system32\tasklist.exe
        tasklist
        2⤵
        • Enumerates processes with tasklist
        PID:3796
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command " Add-Type -AssemblyName \"System.Security\"; $decryptedKey = [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,134,68,90,168,164,48,36,74,145,194,184,0,171,33,10,81,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,134,207,73,36,33,220,51,169,216,24,1,100,86,219,228,221,25,0,213,234,183,9,170,128,155,49,6,20,168,28,231,79,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,13,3,55,184,141,77,103,8,224,103,25,194,116,76,193,185,131,58,87,3,111,142,36,184,77,120,108,26,67,244,20,25,48,0,0,0,106,149,233,187,89,98,74,231,30,160,114,65,172,69,245,48,244,114,198,109,235,88,130,231,136,45,89,26,54,95,105,27,141,231,221,237,204,107,197,175,190,182,162,216,230,28,193,54,64,0,0,0,112,212,134,205,222,222,129,28,80,105,26,187,38,172,156,106,88,235,175,54,43,103,230,117,49,112,180,159,12,117,120,222,104,78,61,205,114,231,87,123,187,16,20,197,24,140,126,139,123,248,140,233,115,26,139,136,108,2,180,112,126,191,105,211), $null, [System.Security.Cryptography.DataProtectionScope]::CurrentUser); $decryptedKeyString = [System.BitConverter]::ToString($decryptedKey) -replace '-', ''; Write-Output $decryptedKeyString"
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:3168
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command " Add-Type -AssemblyName \"System.Security\"; $decryptedKey = [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,134,68,90,168,164,48,36,74,145,194,184,0,171,33,10,81,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,77,220,213,239,127,76,70,253,225,9,214,149,189,224,37,147,8,202,237,78,209,247,255,236,84,111,225,101,69,108,178,224,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,102,117,81,243,82,41,159,199,223,204,73,103,111,193,135,9,14,132,26,34,12,235,123,230,201,169,244,90,144,34,76,188,48,0,0,0,103,67,212,89,139,219,208,12,37,159,138,33,74,199,53,203,187,122,61,189,179,21,79,56,96,39,162,175,169,163,231,4,19,159,69,21,101,235,225,145,193,122,185,39,89,246,188,16,64,0,0,0,13,24,255,63,225,128,47,197,143,32,42,215,150,140,115,113,251,41,122,237,27,31,133,254,7,138,30,232,191,164,12,191,22,21,25,82,217,147,12,165,169,188,154,153,135,43,133,158,163,36,65,228,250,207,73,204,196,224,135,72,228,146,75,229), $null, [System.Security.Cryptography.DataProtectionScope]::CurrentUser); $decryptedKeyString = [System.BitConverter]::ToString($decryptedKey) -replace '-', ''; Write-Output $decryptedKeyString"
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:5088

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      6cf293cb4d80be23433eecf74ddb5503

      SHA1

      24fe4752df102c2ef492954d6b046cb5512ad408

      SHA256

      b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

      SHA512

      0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      64B

      MD5

      d8b9a260789a22d72263ef3bb119108c

      SHA1

      376a9bd48726f422679f2cd65003442c0b6f6dd5

      SHA256

      d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

      SHA512

      550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      64B

      MD5

      446dd1cf97eaba21cf14d03aebc79f27

      SHA1

      36e4cc7367e0c7b40f4a8ace272941ea46373799

      SHA256

      a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

      SHA512

      a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      8e26941f21dac5843c6d170e536afccb

      SHA1

      26b9ebd7bf3ed13bc51874ba06151850a0dac7db

      SHA256

      316f6ce22306f3018f9f57435ea75092633097182646f7e4ca23e2e2aa1393c0

      SHA512

      9148227032d98d49baf0d81a7435ba3adc653d7790245140acc50c38de00839d26a661b92f6754b15bab54fe81fbcf9003692fd7bef09027f11ef703a5879e62

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4vjjd2tq.bhn.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • memory/2052-95-0x00007FF633010000-0x00007FF634599000-memory.dmp

      Filesize

      21.5MB

      Download

    • memory/3080-5-0x00000134A62F0000-0x00000134A6312000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3168-35-0x00000230D5260000-0x00000230D52B0000-memory.dmp

      Filesize

      320KB

      Download