Analysis
-
max time kernel
898s -
max time network
892s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20250113-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
15/01/2025, 22:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ServerHosting.exe
Resource
win10ltsc2021-20250113-en
10 signatures
900 seconds
General
-
Target
ServerHosting.exe
-
Size
183KB
-
MD5
eb6a72e187ab08c083fd5d4f34093e95
-
SHA1
5253a5f60fe7f9188b37041fb725ec84ccc39ffe
-
SHA256
5ce530ab5407bcd9dd3d8f0381227d62c3e3c0eb64e13ecd55088f5f47bdaf0e
-
SHA512
99eab46001751ae86c78fbd2d35f1aff1685d86bc2fd9be9d8cc570a2209eed5b2b68d575fa09e33c18e58596645a7a8806bfc20083355080dea97c0f37c1d59
-
SSDEEP
3072:HurlxKcWiZde2vBVQF4EWjFRA229YvepcCBKX4pn:OrluwdeAVQF4EWx92iepcCBKo
Score
7/10
Malware Config
Signatures
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3406519639-3774642266-3926631722-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServerHosting = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ServerHosting.exe" ServerHosting.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
flow ioc 61 8.tcp.ngrok.io 94 8.tcp.ngrok.io 184 8.tcp.ngrok.io 219 8.tcp.ngrok.io 254 8.tcp.ngrok.io 290 8.tcp.ngrok.io 303 8.tcp.ngrok.io 6 8.tcp.ngrok.io 120 8.tcp.ngrok.io 148 8.tcp.ngrok.io -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 5092 ServerHosting.exe 5092 ServerHosting.exe 5092 ServerHosting.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 5092 ServerHosting.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5092 ServerHosting.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 5092 ServerHosting.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 5092 ServerHosting.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ServerHosting.exe"C:\Users\Admin\AppData\Local\Temp\ServerHosting.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:5092