Analysis
-
max time kernel
93s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-12-2024 12:24
Static task
static1
Behavioral task
behavioral1
Sample
ae5b9a35f35d710b849c3bfb37e848a129855768bd9929b7a85702de3e76e0c8_Sigmanly.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
ae5b9a35f35d710b849c3bfb37e848a129855768bd9929b7a85702de3e76e0c8_Sigmanly.exe
Resource
win10v2004-20241007-en
General
-
Target
ae5b9a35f35d710b849c3bfb37e848a129855768bd9929b7a85702de3e76e0c8_Sigmanly.exe
-
Size
289KB
-
MD5
ea2c30769d298e35ba11cd5c5ed2b04f
-
SHA1
e47bc5c3db4cfbc68dfbe6c48a88c87c29b38a13
-
SHA256
ae5b9a35f35d710b849c3bfb37e848a129855768bd9929b7a85702de3e76e0c8
-
SHA512
5e8dd5244fd0c420c79aaf5c9aa7f112189696ae4f7caaa8082acff3e401df3d1d9f84ce4c8ef0c0a768fac4c2495afb192d72e40e2737b8144cb21adebaedb8
-
SSDEEP
6144:UBM4zzQdbt97XKCVqSYkRYfeIUd+NHHDWn9mWhi:4M44dN3YWTITHDqBi
Malware Config
Extracted
stealc
LogsDiller
http://185.219.81.132
-
url_path
/c3d039fb36c40339.php
Signatures
-
Stealc family
-
Program crash 2 IoCs
pid pid_target Process procid_target 1456 3996 WerFault.exe 81 376 3996 WerFault.exe 81 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ae5b9a35f35d710b849c3bfb37e848a129855768bd9929b7a85702de3e76e0c8_Sigmanly.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3996 ae5b9a35f35d710b849c3bfb37e848a129855768bd9929b7a85702de3e76e0c8_Sigmanly.exe 3996 ae5b9a35f35d710b849c3bfb37e848a129855768bd9929b7a85702de3e76e0c8_Sigmanly.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ae5b9a35f35d710b849c3bfb37e848a129855768bd9929b7a85702de3e76e0c8_Sigmanly.exe"C:\Users\Admin\AppData\Local\Temp\ae5b9a35f35d710b849c3bfb37e848a129855768bd9929b7a85702de3e76e0c8_Sigmanly.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3996 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 12682⤵
- Program crash
PID:1456
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 12642⤵
- Program crash
PID:376
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 3996 -ip 39961⤵PID:3392
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3996 -ip 39961⤵PID:4516
Network
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request241.150.49.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
GEThttp://185.219.81.132/ae5b9a35f35d710b849c3bfb37e848a129855768bd9929b7a85702de3e76e0c8_Sigmanly.exeRemote address:185.219.81.132:80RequestGET / HTTP/1.1
Host: 185.219.81.132
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
POSThttp://185.219.81.132/c3d039fb36c40339.phpae5b9a35f35d710b849c3bfb37e848a129855768bd9929b7a85702de3e76e0c8_Sigmanly.exeRemote address:185.219.81.132:80RequestPOST /c3d039fb36c40339.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----JKEHIIJJECFHJKECFHDG
Host: 185.219.81.132
Content-Length: 216
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 8
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:8.8.8.8:53Request132.81.219.185.in-addr.arpaIN PTRResponse132.81.219.185.in-addr.arpaIN PTR185-219-81-132 netherlands-2vpsac
-
Remote address:8.8.8.8:53Request134.32.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request58.55.71.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request196.249.167.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request200.163.202.172.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request15.164.165.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request140.71.91.104.in-addr.arpaIN PTRResponse140.71.91.104.in-addr.arpaIN PTRa104-91-71-140deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request88.210.23.2.in-addr.arpaIN PTRResponse88.210.23.2.in-addr.arpaIN PTRa2-23-210-88deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request22.236.111.52.in-addr.arpaIN PTRResponse
-
185.219.81.132:80http://185.219.81.132/c3d039fb36c40339.phphttpae5b9a35f35d710b849c3bfb37e848a129855768bd9929b7a85702de3e76e0c8_Sigmanly.exe822 B 625 B 7 5
HTTP Request
GET http://185.219.81.132/HTTP Response
200HTTP Request
POST http://185.219.81.132/c3d039fb36c40339.phpHTTP Response
200
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
241.150.49.20.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.214.232.199.in-addr.arpa
-
73 B 122 B 1 1
DNS Request
132.81.219.185.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
134.32.126.40.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
58.55.71.13.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
196.249.167.52.in-addr.arpa
-
74 B 160 B 1 1
DNS Request
200.163.202.172.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
15.164.165.52.in-addr.arpa
-
72 B 137 B 1 1
DNS Request
140.71.91.104.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
88.210.23.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
22.236.111.52.in-addr.arpa