Malware Analysis Report

2025-08-05 23:18

Sample ID 250115-11yzfawrby
Target 2025-01-15_035cdf44da0eb8d5e010d733bc89a058_mafia
SHA256 b2aed06117f9fb6295dcf698690fb177a8838524009039f08728ca5f34b9af64
Tags
discovery evasion spyware stealer trojan
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

b2aed06117f9fb6295dcf698690fb177a8838524009039f08728ca5f34b9af64

Threat Level: Shows suspicious behavior

The file 2025-01-15_035cdf44da0eb8d5e010d733bc89a058_mafia was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion spyware stealer trojan

Reads user/profile data of web browsers

Checks installed software on the system

Checks whether UAC is enabled

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-15 22:07

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-15 22:07

Reported

2025-01-15 22:10

Platform

win7-20240903-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-01-15_035cdf44da0eb8d5e010d733bc89a058_mafia.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\2025-01-15_035cdf44da0eb8d5e010d733bc89a058_mafia.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-01-15_035cdf44da0eb8d5e010d733bc89a058_mafia.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\2025-01-15_035cdf44da0eb8d5e010d733bc89a058_mafia.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Users\Admin\AppData\Local\Temp\2025-01-15_035cdf44da0eb8d5e010d733bc89a058_mafia.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Users\Admin\AppData\Local\Temp\2025-01-15_035cdf44da0eb8d5e010d733bc89a058_mafia.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2025-01-15_035cdf44da0eb8d5e010d733bc89a058_mafia.exe

"C:\Users\Admin\AppData\Local\Temp\2025-01-15_035cdf44da0eb8d5e010d733bc89a058_mafia.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 inststats-1582571262.us-east-1.elb.amazonaws.com udp
US 8.8.8.8:53 api.ibario.com udp
US 174.36.241.171:80 api.ibario.com tcp
US 174.36.241.171:80 api.ibario.com tcp

Files

memory/1568-0-0x0000000002820000-0x00000000029DB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\i4u2ih554\gui\page_3407_attr_3.png

MD5 07eff5d0bc9ba7e4391cdee940c3dba1
SHA1 eb2162d63453945a0bb98546d2d926a53cdcf273
SHA256 5522ada4424016bc3e77c6a9b09c8e7c37754141ffdefa0ebcb257df859ddac7
SHA512 e30a54942b9144791b9925240ad512e99279533cc01128ed8c3cee3f20f43aaa440f803635ed04a48af9024634314e45b5a40600b258cb6a3594a82633d09d00

C:\Users\Admin\AppData\Local\Temp\i4u2ih554\gui\page_3407_attr_46.bmp

MD5 19cafe521085d306aa66d256bce120c6
SHA1 a41ae63f80dc451fb68a34f64aa86867f2cdbd6e
SHA256 ce22b3fa0bb7ad842657737c51a287caea2623019fcefbea4906462f49e31894
SHA512 936e0ca8f2accfaba11dc190e89ae3d19e2ba0963824e87c24ab7e1cc006cc7232163c90924a1e93abe7d602b64b4b5543544e114d9059ea56b6f28535c8527d

C:\Users\Admin\AppData\Local\Temp\i4u2ih554\wizard.xml

MD5 f17864add07402113e4a4100d55d827b
SHA1 7780bb377a6a7da1d277ba7f31ae84596c93bf5a
SHA256 b252f23c60c0bab71eb634e3afe15e9ca441cbc02b03e04b135f385226b6f603
SHA512 21f6f825964c2c096aaa15c403eb446ef0fbf311107f1f144f260f9a8fcd312b21068289884187ccf4b0756159a8260f3fa5178504b7037e5caae525ffb69d95

memory/1568-88-0x00000000027F0000-0x00000000027F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\i4u2ih554\gui\3253.html

MD5 b049d19758f143bba1112ba1fd012919
SHA1 06ac1a6380ccffcdb9900abb6978d5b568aa10af
SHA256 a67fa8a1af90c89c53eb44820dcefc77aae48899e70490167d8632296c05b983
SHA512 b9051dec4db2f296534d87c34a4d93f45b6033043e33e267e69c72b3e850c4f972a6d234fe26ff684a1b3b9844f1027be6543fd1f5109e00a4b26afd3e15a2ee

memory/1568-162-0x00000000027F0000-0x00000000027F1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-15 22:07

Reported

2025-01-15 22:10

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-01-15_035cdf44da0eb8d5e010d733bc89a058_mafia.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\2025-01-15_035cdf44da0eb8d5e010d733bc89a058_mafia.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-01-15_035cdf44da0eb8d5e010d733bc89a058_mafia.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2025-01-15_035cdf44da0eb8d5e010d733bc89a058_mafia.exe

"C:\Users\Admin\AppData\Local\Temp\2025-01-15_035cdf44da0eb8d5e010d733bc89a058_mafia.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 inststats-1582571262.us-east-1.elb.amazonaws.com udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 api.ibario.com udp
US 174.36.241.171:80 api.ibario.com tcp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 174.36.241.171:80 api.ibario.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 8.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 133.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/4948-0-0x0000000004040000-0x00000000041FB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\f6g11hbw\gui\page_3407_attr_3.png

MD5 07eff5d0bc9ba7e4391cdee940c3dba1
SHA1 eb2162d63453945a0bb98546d2d926a53cdcf273
SHA256 5522ada4424016bc3e77c6a9b09c8e7c37754141ffdefa0ebcb257df859ddac7
SHA512 e30a54942b9144791b9925240ad512e99279533cc01128ed8c3cee3f20f43aaa440f803635ed04a48af9024634314e45b5a40600b258cb6a3594a82633d09d00

C:\Users\Admin\AppData\Local\Temp\f6g11hbw\gui\page_3407_attr_46.bmp

MD5 19cafe521085d306aa66d256bce120c6
SHA1 a41ae63f80dc451fb68a34f64aa86867f2cdbd6e
SHA256 ce22b3fa0bb7ad842657737c51a287caea2623019fcefbea4906462f49e31894
SHA512 936e0ca8f2accfaba11dc190e89ae3d19e2ba0963824e87c24ab7e1cc006cc7232163c90924a1e93abe7d602b64b4b5543544e114d9059ea56b6f28535c8527d

C:\Users\Admin\AppData\Local\Temp\f6g11hbw\wizard.xml

MD5 f17864add07402113e4a4100d55d827b
SHA1 7780bb377a6a7da1d277ba7f31ae84596c93bf5a
SHA256 b252f23c60c0bab71eb634e3afe15e9ca441cbc02b03e04b135f385226b6f603
SHA512 21f6f825964c2c096aaa15c403eb446ef0fbf311107f1f144f260f9a8fcd312b21068289884187ccf4b0756159a8260f3fa5178504b7037e5caae525ffb69d95

memory/4948-88-0x0000000003E60000-0x0000000003E61000-memory.dmp

memory/4948-103-0x0000000003E60000-0x0000000003E61000-memory.dmp