Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20250113-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
15/01/2025, 22:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ServerHosting.exe
Resource
win10ltsc2021-20250113-en
7 signatures
150 seconds
General
-
Target
ServerHosting.exe
-
Size
183KB
-
MD5
a5020bd836a43cdac8f09c46ff347996
-
SHA1
db26350ef5ad05ac6e3f143c9f467710909a966c
-
SHA256
a43a90764ac632610c9a0ec709604aded75b7e338ee81071da63e4a9d294236b
-
SHA512
9c7c972a0dbf52480c2d467a064a6bd45ad41850f9cc5e341b5d5a4ad45fbdf6ec04b6856f751710a54456d42d3b18e50ceab2dcd076436a2fa4b1db06ff1ac0
-
SSDEEP
3072:GurlxKc5jBwZde2vBVQF4EWjFRA229YvepcCBKXSpL:lrlxjYdeAVQF4EWx92iepcCBKi
Score
7/10
Malware Config
Signatures
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServerHosting = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ServerHosting.exe" ServerHosting.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 41 8.tcp.ngrok.io 6 8.tcp.ngrok.io 30 8.tcp.ngrok.io -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 556 ServerHosting.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 556 ServerHosting.exe