File name: | Kraken.bin (2) |
Full analysis: | https://app.any.run/tasks/afabd180-b5b9-4951-b090-e351f74ecf36 |
Verdict: | Malicious activity |
Threats: | Kraken is a trojan malware with infostealing capabilities that was first spotted in May of 2023. The malware can perform a wide range of malicious activities, including logging users’ keystrokes. The data then can be sent to the attacker using several protocols. The operators behind the Kraken stealer usually distribute it via phishing emails. |
Analysis date: | December 06, 2019, 21:05:57 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
MD5: | 6AC062D21F08F139D9F3D1E335E72E22 |
SHA1: | 9E967A759E894A83C4B693E81C031D7214A8E699 |
SHA256: | 564154A2E3647318CA40A5FFA68D06B1BD40B606CAE1D15985E3D15097B512CD |
SSDEEP: | 1536:0bPX/gJxDFgu02gM+LXbtQ5IxWwbglROAnbFmYVKCKclF:0cxz1gxXSNwbYcYVKhYF |
.exe | | | Generic CIL Executable (.NET, Mono, etc.) (56.7) |
---|---|---|
.exe | | | Win64 Executable (generic) (21.3) |
.scr | | | Windows screen saver (10.1) |
.dll | | | Win32 Dynamic Link Library (generic) (5) |
.exe | | | Win32 Executable (generic) (3.4) |
MachineType: | Intel 386 or later, and compatibles |
---|---|
TimeStamp: | 2018:10:04 12:22:18+02:00 |
PEType: | PE32 |
LinkerVersion: | 48 |
CodeSize: | 98304 |
InitializedDataSize: | 2048 |
UninitializedDataSize: | - |
EntryPoint: | 0x19e76 |
OSVersion: | 4 |
ImageVersion: | - |
SubsystemVersion: | 4 |
Subsystem: | Windows GUI |
FileVersionNumber: | 1.0.0.0 |
ProductVersionNumber: | 1.0.0.0 |
FileFlagsMask: | 0x003f |
FileFlags: | (none) |
FileOS: | Win32 |
ObjectFileType: | Executable application |
FileSubtype: | - |
LanguageCode: | Neutral |
CharacterSet: | Unicode |
Comments: | - |
CompanyName: | - |
FileDescription: | UAC |
FileVersion: | 1.0.0.0 |
InternalName: | UAC.exe |
LegalCopyright: | Copyright © 2018 |
LegalTrademarks: | - |
OriginalFileName: | UAC.exe |
ProductName: | UAC |
ProductVersion: | 1.0.0.0 |
AssemblyVersion: | 1.0.0.0 |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 04-Oct-2018 10:22:18 |
Debug artifacts: |
|
Comments: | - |
CompanyName: | - |
FileDescription: | UAC |
FileVersion: | 1.0.0.0 |
InternalName: | UAC.exe |
LegalCopyright: | Copyright © 2018 |
LegalTrademarks: | - |
OriginalFilename: | UAC.exe |
ProductName: | UAC |
ProductVersion: | 1.0.0.0 |
Assembly Version: | 1.0.0.0 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000080 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 3 |
Time date stamp: | 04-Oct-2018 10:22:18 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00002000 | 0x00017E7C | 0x00018000 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.23125 |
.rsrc | 0x0001A000 | 0x0000057C | 0x00000600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.00735 |
.reloc | 0x0001C000 | 0x0000000C | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 0.10191 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.00112 | 490 | UNKNOWN | UNKNOWN | RT_MANIFEST |
mscoree.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
884 | "C:\Users\admin\Desktop\Kraken.bin (2).exe" | C:\Users\admin\Desktop\Kraken.bin (2).exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Description: UAC Exit code: 0 Version: 1.0.0.0 | ||||
788 | "C:\Windows\System32\eventvwr.exe" | C:\Windows\System32\eventvwr.exe | — | Kraken.bin (2).exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Event Viewer Snapin Launcher Exit code: 3221226540 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1972 | "C:\Windows\System32\eventvwr.exe" | C:\Windows\System32\eventvwr.exe | Kraken.bin (2).exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Event Viewer Snapin Launcher Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3124 | "C:\Users\admin\AppData\Local\Temp\krakentemp0000.exe" | C:\Users\admin\AppData\Local\Temp\krakentemp0000.exe | eventvwr.exe | |
User: admin Integrity Level: HIGH Exit code: 0 Version: 1.1.7.9 | ||||
3228 | "tasklist" /V /FO CSV | C:\Windows\system32\tasklist.exe | — | krakentemp0000.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Lists the current running tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3488 | "C:\Users\admin\Desktop\Kraken.bin (2).exe" | C:\Users\admin\Desktop\Kraken.bin (2).exe | explorer.exe | |
User: admin Integrity Level: HIGH Description: UAC Exit code: 3762507597 Version: 1.0.0.0 | ||||
3424 | dw20.exe -x -s 372 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | — | Kraken.bin (2).exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft .NET Error Reporting Shim Exit code: 0 Version: 2.0.50727.4927 (NetFXspW7.050727-4900) | ||||
2140 | "C:\Windows\System32\cmd.exe" /C cd C:\ProgramData\ && release.bat | C:\Windows\System32\cmd.exe | — | krakentemp0000.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
4032 | "C:\Windows\System32\cmd.exe" /C ping 127.0.0.1 -n 3 > NUL&&del /Q /F /S "C:\Users\admin\AppData\Local\Temp\krakentemp0000.exe" | C:\Windows\System32\cmd.exe | — | krakentemp0000.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
856 | ping 127.0.0.1 -n 3 | C:\Windows\system32\PING.EXE | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: TCP/IP Ping Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3124 | krakentemp0000.exe | C:\Users\admin\Contacts\admin.contact | — | |
MD5:— | SHA256:— | |||
3124 | krakentemp0000.exe | C:\Users\admin\Desktop\basistown.rtf | — | |
MD5:— | SHA256:— | |||
3124 | krakentemp0000.exe | C:\Users\admin\Desktop\carecoverage.png | — | |
MD5:— | SHA256:— | |||
3124 | krakentemp0000.exe | C:\Users\admin\Desktop\clientsdating.jpg | — | |
MD5:— | SHA256:— | |||
3124 | krakentemp0000.exe | C:\Users\admin\Desktop\decemberresearch.png | — | |
MD5:— | SHA256:— | |||
3124 | krakentemp0000.exe | C:\Users\admin\Desktop\duringsee.png | — | |
MD5:— | SHA256:— | |||
3124 | krakentemp0000.exe | C:\Users\admin\Desktop\germanyoperations.png | — | |
MD5:— | SHA256:— | |||
3124 | krakentemp0000.exe | C:\Users\admin\Desktop\groupsseason.rtf | — | |
MD5:— | SHA256:— | |||
3124 | krakentemp0000.exe | C:\Users\admin\Desktop\lastat.rtf | — | |
MD5:— | SHA256:— | |||
3124 | krakentemp0000.exe | C:\Users\admin\Desktop\michaelrss.rtf | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3124 | krakentemp0000.exe | GET | 301 | 216.58.206.14:80 | http://google.com/ | US | html | 219 b | whitelisted |
3124 | krakentemp0000.exe | GET | 301 | 216.58.206.14:80 | http://google.com/ | US | html | 219 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3124 | krakentemp0000.exe | 216.58.206.14:80 | google.com | Google Inc. | US | whitelisted |
3124 | krakentemp0000.exe | 216.239.32.21:443 | ipinfo.io | Google Inc. | US | whitelisted |
3124 | krakentemp0000.exe | 152.199.19.160:443 | download.sysinternals.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3124 | krakentemp0000.exe | 216.58.207.36:80 | www.google.com | Google Inc. | US | whitelisted |
3124 | krakentemp0000.exe | 104.28.12.103:80 | blasze.tk | Cloudflare Inc | US | shared |
Domain | IP | Reputation |
---|---|---|
ipinfo.io |
| shared |
blasze.tk |
| malicious |
google.com |
| whitelisted |
www.google.com |
| whitelisted |
download.sysinternals.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
3124 | krakentemp0000.exe | A Network Trojan was detected | ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) |
3124 | krakentemp0000.exe | Potential Corporate Privacy Violation | ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io) |
— | — | Potentially Bad Traffic | ET DNS Query to a .tk domain - Likely Hostile |
3124 | krakentemp0000.exe | A Network Trojan was detected | ET TROJAN [PTsecurity] Kraken Ransomware Start Activity 2 |
3124 | krakentemp0000.exe | A Network Trojan was detected | MALWARE [PTsecurity] Kraken Cryptor |
3124 | krakentemp0000.exe | A Network Trojan was detected | MALWARE [PTsecurity] Ransomware.Kraken_Cryptor UA |
3124 | krakentemp0000.exe | A Network Trojan was detected | MALWARE [PTsecurity] Ransomware.Kraken_Cryptor URL |
3124 | krakentemp0000.exe | Potentially Bad Traffic | ET POLICY HTTP Request to a *.tk domain |
3124 | krakentemp0000.exe | A Network Trojan was detected | ET TROJAN [PTsecurity] Kraken Ransomware Start Activity 2 |
3124 | krakentemp0000.exe | A Network Trojan was detected | MALWARE [PTsecurity] Kraken Cryptor |