Analysis Overview
SHA256
a43a90764ac632610c9a0ec709604aded75b7e338ee81071da63e4a9d294236b
Threat Level: Shows suspicious behavior
The file ServerHosting.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Reads data files stored by FTP clients
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Unsigned PE
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-15 22:03
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-15 22:03
Reported
2025-01-15 22:05
Platform
win10ltsc2021-20250113-en
Max time kernel
149s
Max time network
147s
Command Line
Signatures
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServerHosting = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ServerHosting.exe" | C:\Users\Admin\AppData\Local\Temp\ServerHosting.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | 8.tcp.ngrok.io | N/A | N/A |
| N/A | 8.tcp.ngrok.io | N/A | N/A |
| N/A | 8.tcp.ngrok.io | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ServerHosting.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ServerHosting.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\ServerHosting.exe
"C:\Users\Admin\AppData\Local\Temp\ServerHosting.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.tcp.ngrok.io | udp |
| US | 3.19.130.43:8848 | 8.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 3.19.130.43:8848 | 8.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fd.api.iris.microsoft.com | udp |
| FR | 20.199.58.43:443 | fd.api.iris.microsoft.com | tcp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 3.19.130.43:8848 | 8.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 8.tcp.ngrok.io | udp |
| US | 13.58.157.220:8848 | 8.tcp.ngrok.io | tcp |
| US | 13.58.157.220:8848 | 8.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 8.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 13.58.157.220:8848 | 8.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 8.tcp.ngrok.io | udp |
| US | 3.142.81.166:8848 | 8.tcp.ngrok.io | tcp |
Files
memory/556-0-0x00007FFE6DE45000-0x00007FFE6DE46000-memory.dmp
memory/556-1-0x000000001B080000-0x000000001B126000-memory.dmp
memory/556-2-0x00007FFE6DB90000-0x00007FFE6E531000-memory.dmp
memory/556-3-0x000000001B680000-0x000000001BB4E000-memory.dmp
memory/556-4-0x000000001BBF0000-0x000000001BC8C000-memory.dmp
memory/556-5-0x00007FFE6DB90000-0x00007FFE6E531000-memory.dmp
memory/556-6-0x0000000000980000-0x0000000000988000-memory.dmp
memory/556-7-0x000000001BD90000-0x000000001BDDC000-memory.dmp
memory/556-8-0x000000001E9A0000-0x000000001ECB0000-memory.dmp
memory/556-9-0x00007FFE6DB90000-0x00007FFE6E531000-memory.dmp
memory/556-10-0x00007FFE6DE45000-0x00007FFE6DE46000-memory.dmp
memory/556-11-0x00007FFE6DB90000-0x00007FFE6E531000-memory.dmp