Maze Ransomware Group Possible Country of Origin

Maze Ransomware group has not slowed down even though much of the world has ground to a halt. One of Maze’s most recent targets was a wireless internet service provider in the USA. When Maze group is successful in locking and exfiltrating data from a company they post basic company info, lock date, and some of the stolen data as proof that they are not bluffing. According to a recent press release Maze waits 3-5 days with no company contact to post any information.

Usually the proof data is a few choice stolen files, but in this case all that was uploaded to Maze’s blog was two screenshots of a Linux file browser screen showing the names of some of the stolen files. I took a screenshot of both screenshots and redacted any file names.

McAfee’s analysis of code used in one of the Maze group’s attacks found that all of the command and control servers that were contacted by Maze’s ransomware were located in Russia. These screenshots seem to add more evidence that Maze group is operating out of Russia. Unless the OS language and time zone are set up to be intentionally misleading they are Russian and MSK (Moscow) respectively.  The other non-proprietary information we can get from these screenshots was that the target was likely running an outdated OS, Windows XP. The folder that has been opened in the screenshot is  “Acer > Documents and Settings > 1 > My Documents > Backsaves” – where the folder “Documents and Settings” is specific to Windows XP.

Another interesting thing that may point to a country of origin is the text of some of Maze’s “Press Releases”. Their latest release was about a multinational company that had become one of their “clients”. I don’t intend to enable Maze group so I’ve removed identifying information about their target but left the odd phrasing. I have colored sentences with missing or incorrect articles in purple.

Due to frequent inquires from various media about [COMPANY NAME] we decided to make a special press release.

The [COMPANY NAME is pretty larger: [COMPANY WEBSITE] . 5 major departments. [COMPANY DEPARTMENT NAMES]

Market capitalization of [TEN] billion and the profit of [HUNDREDS OF] millions according [BLOOMBERG ARTICLE]. Main activities in Real Estate, Construction and Telecomunications.

The company has offices in a few countries. We were contacted by [COUNTRY 1] and [COUNTRY 2] offices.

So lets examine the company. A few thousand millions of turnaround. A few thousands employees.

[COMPANY NAME] was attacked on [DATE]. The hole in the security perimeter was giant. It was so big that it was possible to download 200 Gb of private info in just 2 days. The was everything. Contracts, Clients, Employees Personal Data, Access credentials and much more interesting stuff.

In those 2 days company’s security didn’t even check the enormous activity inside the company’s network.
But despite of that, all the breaches inside the security perimeter are still open. That’s not because of COVID. It’s just the the laziness and absence of any will to do something.

The company continues to live and work with the slogan «We have profit and it doesn’t matter who’s having psychologists us».

The negotiations are another funny story. It’s like a manual for business analytics and psychologists «How to ruin the negotiations».

It all begins with words of the scared employee of [COUNTRY 1] Office asking us What to do in such situation. It’s all ended with the words of the company’s president being insulted by the fact, some hackers have contacted personally his royal highness.

Dear mr. President. With your arrogance you have endangered not only your employees, but also your business partners. We have got access to some of your business partners through your network. And some of them will be attacked for sure.

Does it worth it to work with such «Giants». Does it worth investing at it? The company’s management doesn’t care about the company’s future. It doesn’t care about the data and about it’s business partners.

All we know is that the companies like [COMPANY NAME] will fail in the new economic reality.

We are going to make press releases about every large company that will try to escape the negotiations. So the companies’ investors will understand what company they are dealing with.

This is clearly not written by someone with English as their first language, but it also does not appear to my (totally unqualified) eye to have been automatically translated. Sentences leave out articles which is not unique to native speakers Slavic languages but certainly does not rule out Russia. According to Wikipedia the Russian language does not have definite, indefinite, numbered, gendered, or case-inflected articles. According to a native speaker of Ukrainian i spoke with, Russian speakers have trouble knowing which English articles to use and where.

Another seemingly relevant fact is that according to McAfee’s analysis none of Maze’s listed “clients” are Russian companies. If a non-Russian, Slavic language speaking country was carrying out these attacks I would think they would target Russian companies. Understanding the language and business practices of a target company are important for Maze’s bait to be enticing. Is this conclusive evidence that the Maze ransomware group is operating out of Russia? Maybe not, but it does add plausibility to the theory.

Maybe analysis of the other evidence files posted by Maze will reveal more clues about the group but I will leave that up to the professionals.

DeepSpeech Dispatch Mapping Part 2: Minimum Viable Product

From talking with someone much smarter and experienced than me, I need to narrow the scope of my project in order to test some of the key back end pieces of a dispatch mapping platform. The following questions need to be answered at a minimum:

  1. Can DeepSpeech be trained to reliably transcribe addresses from scanner audio?
  2. Can addresses be detected and extracted from transcribed audio.
  3. Can those addresses be validated?

So what does the minimum viable product look like?

Scanner Audio is fed to DeepSpeech and a list of addresses is produced. The most basic thing I can gain from scanner audio is “a call happened at these addresses”.

To generate good training data, Amazon will transcribe audio at about 6 cents a minute, Google will do it for 2 cents a minute. Even better, Google cloud services gives a 300 dollar credit to free accounts for the first year. Without even signing up lets test if Google’s speech to text engine will detect addresses without any fiddling.

I uploaded this clip:

 

Here’s what Google’s demo was able to identify out of all that:

The model picked out the address! now on to question 2, can we pick out address from a bunch of other garbage. The best tool for this is probably RegEx. I am no RegEx expert so a I did a quick search and found this possibly over-complicated way of detecting most addresses.

The expression:

/(?:(?<=^)|(?<=[;:.,|][ ])|(?<=[[('"]))(?:[)]?P\.?O\.?(?:(?i)[ ]?Box)?[ ]{0,2}(?<PO>\d{1,5})[)]?|(?<HouseNumber>(?>(?:(?<NumberException>(?:19[789]|20[0123])\d)|\d+?(?:[-\\\/]\d{1,3})?)(?=(?:[;,]|[-\\\/]?[A-Za-z]\d?)?\s)))(?:(?<DoorSide>[-\\\/]?[A-Za-z]\d{0,2}))?,?\s{0,2}(?>(?:(?:^|[ ]{1,2})(?<StreetPrefix>AU|EI?|GR|H[AW]|JO|K|M[AEM]|N[EOW]?|O[HLMV]|RD|S[EW]?|TE|W)\b)?)(?:(?:^|[ ]{1,2})(?<StreetName>(?:\p{Lu}[-'\p{L}]*?(?:\.?[ ]{1,2}\p{Lu}[-'\p{L}]*?){0,8}?(?>(?<StreetNameIndicator>(?i)BOULEVARD|PLAZA|ROAD|STR(?:ASSE|EET)|WA(?:LK|Y))?)|(?<StreetOrdinal>\d{1,3}(?:[. ]?(?:°|st|[nr]d|th))))\b))(?:(?:(?>[ ]{1,2}(?i)(?<StreetType>A(?:C(?:CESS|RES)|LLEY|NX|PPROACH|R(?:CADE|TERY)|VE(?:NUE)?)|B(?:A(?:NK|SIN|Y)|CH|E(?:ACH|ND)|L(?:DG|VD)?|O(?:ULEVARD|ARDWALK|WL)|R(?:ACE|AE|EAK|IDGE|O(?:ADWAY|OK|W))?|YPASS)|C(?:A(?:NAL|USEWAY)|ENTRE(?:WAY)?|H(?:A(?:NN?EL|SE)?)?|I(?:R(?:C(?:LET?|U(?:IT|S)))?)?|L(?:B|OSE)?|O(?:MMON|NCOURSE|OP|PSE|R(?:[DK]|NER|S[OT])|UR(?:[VS]E|T(?:YARD)?)|VE)?|R(?:ES(?:CENT|T)?|IEF|OSS(?:ING)?)|T[RS]?|U(?:LDESAC|RVE)|V)|D(?:ALE|EVIATION|I[PV]|M|OWNS|R(?:IVE(?:WAY)?)?)|E(?:ASEMENT|DGE|LBOW|N(?:D|TRANCE)|S(?:PLANADE|T(?:ATE|S))|X(?:P(?:(?:(?:RESS)?WA)?Y)|T(?:ENSION)?))|F(?:AIRWAY|I(?:ELDS?|RETRAIL)|L(?:DS?|S)|O(?:LLOW|R(?:D|MATION))|R(?:D|EEWAY|ONT(?:AGE|ROAD)?))|G(?:A(?:P|RDENS?|TE(?:S|WAY)?)|L(?:ADE|EN)|R(?:ANGE|EEN|O(?:UND|V(?:ET?)?))?)|H(?:AVEN|BR|E(?:ATH|IGHTS)|I(?:GHWAY|LL)|L|OUSE|TS|UB|WY)|I(?:NTER(?:CHANGE)?|SLAND)|J(?:C|UNCTION)|K(?:EY|NOLL)|L(?:A(?:NE(?:WAY)?)?|DG|IN(?:E|K)|N|O(?:O(?:KOUT|P)|WER)?)|M(?:A(?:LL)?|DWS?|E(?:A(?:D|NDER)|WS)|L|NR|OT(?:EL|ORWAY))|NO(?:OK)?|O(?:L|UTLOOK|V(?:ERPASS)?)|P(?:A(?:R(?:ADE|K(?:LANDS|WAY)?)|SS|TH(?:WAY)?)?|DE|I(?:ER|[KN]E)|KW?Y|L(?:A(?:CE|ZA)|Z)?|O(?:CKET|INT|RT)|RO(?:MENADE|PERTY)|T|URSUIT)?|QUA(?:D(?:RANT)?|YS?)|R(?:A?(?:MBLE|NCH)|DG?|E(?:ACH|S(?:ERVE|T)|T(?:REAT|URN))|I(?:D(?:E|GE)|NG|S(?:E|ING))|O(?:AD(?:WAY)?|TARY|U(?:ND|TE)|W)|R|UN)|S(?:CH|(?:ER(?:VICE)?WAY)|IDING|LOPE|MT|P(?:PGS|UR)|Q(?:UARE)?|T(?:A(?:TE)?|CT|EPS|HY|PL|RAND|R(?:EET|IP)|TER)?|UBWAY)|T(?:ARN|CE|E(?:R(?:RACE)?)?|HRO(?:UGHWAY|WAY)|O(?:LLWAY|P|R)|R(?:A(?:CK|IL)|FY|L)?|URN)|UN(?:DERPASS|IV)?|V(?:AL(?:E|LEY)|I(?:EW|S(?:TA)?)?|L(?:GS?|Y))|W(?:A(?:L[KL](?:WAY)?|Y)|HARF|YND)|XING)\b\.?){1,2})??(?>(?:[ ]{1,2}(?<StreetSuffix>E|N[EW]?|S[EW]?|W)\b)?))(?:(?:^|[ ]{1,2}|[;,.]\s{0,2}?)(?i)(?<Apt>(?:[#]?\d{1,5}(?:[. ]{0,2}(?:°|st|[nr]d|th))?[;,. ]{0,2})?(?:(?:(?>(?:A|DE)P(?:AR)?T(?:MENT)?S?|B(?:UI)?LD(?:IN)?G?|FL(?:(?:OO)?R)?|HA?NGS?R|LOT|PIER|RM|S(LIP|PC|T(E|OP))|TRLR|UNIT|(?=[#]))(?:[ ]{1,2}[#]?\w{1,5})??|BA?SE?ME?N?T|FRO?NT|LO?BBY|LOWE?R|OF(?:C|FICE)|P\.?H|REAR|SIDE|UPPR)){1,3}(?:[#;,. ]{1,3}(?:[-.]?[A-Z\d]){1,3})?)[;,.]?)?)(?<CityState>[-;,.[(]?\s{1,4}(?<City>[A-Z][A-Za-z]{1,16}[.]?(?:[- ](?:[A-Z][A-Za-z]{0,16}|[a-z]{1,3})(?:(?:[- ][A-Za-z]{1,17}){1,7})?)?)(?<!\s[ACDF-IK-PR-W][AC-EHI-PR-Z])[)]?(?>(?<State>[-;,.]?\s{1,4}[[(]?(?<StateAbbr>A[LKSZRAP]|C[AOT]|D[EC]|F[LM]|G[AU]|HI|I[ADLN]|K[SY]|LA|M[ADEHINOPST]|N[CDEHJMVY]|O[HKR]|P[ARW]|RI|S[CD]|T[NX]|UT|V[AIT]|W[AIVY])\b[])]?|[-;,.]\s{0,3}[ ][[(]?(?=[A-Z])(?<StateName>(?i)Ala(?:bam+a|[sz]ka)|Ari[sz]ona|Arkan[sz]as|California|Colorado|Con+ec?t+icut+|Delaw[ae]re?|Flori?da|Georgia|Haw+ai+|Idaho|Ill?inois|Indiana|Iowa|Kansas|Kentu[ck]+[iy]|Louis+ian+a|Ma(?:ine|r[iy]land|s+achuset+s)|Mi(?:chigan|n+es+ot+a|s+is+ip+i|s+ouri)|Montana|Ne(?:bra[sz]ka|vada|w[ ]?(?:Hamp?shire|Jerse[iy]|Mexico|York))|[NS](?:o[ru]th|[.])[ ]?(?:Carolina|Dakota)|Ohio|Oklahoma|Oregon|Pen+s[iy]lvan+[iy]a|Rh?oa?de?[ ]?Island|Ten+es+e+|Texas|Ut+ah?|Vermont|Washington|(?:W(?:est|[.])?[ ]?)?Virginia|Wi[sz]cou?nsin|W[iy]om[iy]+ng?)[])]?)?)(?(State)|(?:(?<=[)])|(?! [A-Z]))))?(?>(?:[-;,.\s]{0,4}(?:^|[ ]{1,2})[[(]?(?<ZipCode>(?!0{5})\d{5}(?:-\d{4})?)[])]?)?)(?(State)|(?(ZipCode)|(?(City)(?!)|(?(PO)|(?(NumberException)(?!)|(?(StreetNameIndicator)|(?(StreetType)|(?(StreetPrefix)|(?!)))))))))(?=[]).?!'"\s]|$)(?![ ]+\d)/gmx

I tried this expression against the output of Google’s speech-to-text demo on regex101.com and it correctly identified the address:

I am confident from these quick and dirty tests that Google is the best and cheapest option for generating training data, and the addresses can be identified in a string of text. The next steps towards a minimum viable product will be to learn how Google’s speech-to-text API works and start generating text that will be the starting point for DeepSpeech training data.

DeepSpeech Dispatch Mapping Part 1 of Many

New project time!

Well its not really a new project. I’ve been thinking about this for a while. I want to use Mozilla’s TensorFlow implementation of Baidu’s DeepSpeech architecture combined with a TensorFlow based classification system to map police/EMS dispatch events on google maps. The end result will be a map from the last 24 hours for  the county with pins in every location that police/EMS were called to with each pin having the transcribed summary of the mapped call.

The police/EMS scanner data will stream in real time from broadcastify.com who provides this service for free for non commercial purposes.

The trickiest part of this project will be training a TF model to recognize garbled radio traffic. In some ways this will be easier than having a model that can understand ALL speech. Dispatches use a standard protocol to make information easier to understand over noisy radio transmissions. A specific example of how data will be tagged is the NATO phonetic alphabet. A dispatcher is very unlikely to talk about an Echo or an Xray, so transcriptions used for training will train the model to transcribe “ECHO” as “E”.

Amazon’s cloud based transcription service will be the starting point for creating training data. Mozilla’s Common Voice datasets are made up of sentence long audio clips of human speech paired with transcriptions of each clip. It would be an unreasonable amount of manual work to transcribe hours and hours of scanner traffic so splitting up several days worth of scanner archives and feeding them into Amazon Transcribe may be a a good starting point for training data. Even if I have to do some manual QA, its going to save a lot of time.

Lets see what we get out of Amazon transcribe from this audio clip:

 

Twenty Alfa. Lots of yelling and screaming Clayton have, according the noise, it can’t be contacted. This needed silver of Fifty Five Alfa returns to Peter Howard weren’t as license native. One Four Forty Five Twenty Alfa the number of Five, Seven One, Four, Three Eight Nine Five Nine zero Forty Five Alfa Know which felt special man was like Five Alfa average welfare. One, Two Six, Seven Five. Taylor’s Town Road and be Five Twenty At the request of Pittsburgh P. D in Berkeley County, West Virginia. There, agency had reported to a domestic and an address in Martinsburg upon arrivals. There were signs of a struggle inside. Men forced entry into the residence. Officers did not locate anyone inside, but did see multiple signs of a struggle. The female victim in her vehicle are not at the residence. They were able to paint in the victim’s cell phone, which is dropping within a mile of the severance. Seen it for further double. Zero. Fifty Seven Four Three Forty Five. You can put Three 15 Alfa and Service and put me on Three Forty hours. Call him right down the street from him. Three 15 Outside, you can go in service. Three. 15 of us Were you dressed? Traffic down under Fifty. Enough. A little Zulu Fifty Burn. Always complete. Seven. Onside itself conquered Port Three Two Seventy. Music for several hours. Seven. Fifty Nine. Well, the son of the protective order, right Would place Fifty Nine Three. Forty Alfa Direct Three. Forty Five Alfa. You can go into service, right Three Forty Five out through 100 Two. Forty Reckoned Eight Seventy Two. Seventy He called himself Alfa Two Sixty Five Alfa for suspicious vehicle Two One Two Five Bureau hunting and square Be Two Eighty, Uh, but also Two Sixty Five further on your cold. No one is in the car in the parking lot and lot of five minutes Is a blue van or truck because it’s to keep on the hunt and is open in the back. There’s a black wrap I don’t Inside the open area that appears to be a body. You’re One 11 Three. I’m happy. Verbal altercations for you. Response to the area of Eight Oh, Nine beliefs of square northeast color of eyes in here, eh? Young woman and a male believes the immediate arguing back and forth cannot see them can only hear them from out Five Three. Here’s the second everything. Four. Twenty Oscar. He really from the call that I was put on, the One give her everything One Fifty.

I did a spot check for locations in the transcript that were mostly correct or totally correct which I have bolded. Amazon gives us the option to use what they call custom vocabularies which are either lists or tables of words that are likely to be in a transcript that makes transcription more accurate. As a test, before starting the transcription job for the audio file above, I created a custom vocabulary with the following words:

Alfa,Bravo,Charlie,Delta,Echo,Foxtrot,Golf,Hotel,India,Juliett,Kilo,Lima,Mike,November,Oscar,Papa,Quebec,Romeo,Sierra,Tango,Uniform,Victor,Whiskey,X-ray,Yankee,Zulu,One,Two,Three,Four,Five,Six,Seven,Eight,Nine,Twenty,Thiry,Forty,Fifty,Sixty,Seventy,Eighty,Ninety

I used these words as a test custom vocabulary because earlier transcription tests of scanner audio were not transcribing the NATO alphabet or numbers correctly. Both are important to transcribe because letters and numbers are used to identify police cars, fire trucks etc. Here are the transcription results WITHOUT the custom vocabulary:
20 hours. Lots of yelling and screaming Clayton have, according the noise. It can’t be contacted. This needed silver of Disney because all the returns to Peter Howard weren’t as license. Negative. One 4 45 20. The number of 571 43 9590 Prefer to talk about it? No one felt special Man was, like five out of welfare. 12675 Taylor’s Town Road and be 5 20 at the request of Pittsburgh P. D in Berkeley County, West Virginia. There, agency had reported to a domestic and an address in Martinsburg upon arrivals. There were signs of a struggle inside. Men forced entry into the residence. Officers did not locate anyone inside, but did see multiple signs of a struggle. The female victim in her vehicle are not at the residence. They were able to paint in the victim’s cell phone, which is dropping within a mile of the severance. Seen it for further double drove 57. Unit 3 45 You can put 3 15 outfit and service and put me on 3 40 hours. Call him right down the street from him. Get it 3 15 Outside you can go in service. 3 15 of us. Were you dressed? Traffic down Under is enough. A little busy burn. Always complete. Put it on. Site himself conquered port to 70 music for several hours. Similar 59. Well, the son of the protective order right would place with 59 3 40 Directory. 45 Alfa You can go into service right? 3 45,100 reported. Reckon David 72. 70. He called himself Salva to 65 Alfa for suspicious vehicle to 1 to 5 euro hunting and square beat to 80 uh, but also to 65 Further on your cold. No one is in the car in the parking lot, and lot of five minutes is a blue van or truck because it’s to keep on the hunt and is open in the back. There’s a black wrap I don’t inside the open area that appears to be a body. You’re 1 11 I’m happy. Verbal altercations for you. Response to the area of eight or nine Police of square northeast color of eyes in here, eh? Young woman and a male believes the immediate arguing back and forth cannot see them can only hear them from outside country. Here’s the second everything. You two for 20? He really from the call that I was put the other one. Give her everything. Yeah.
Lets take a look at a small section from the first transcription of this scanner archive that describes what happened and who responded(“A Call”):

Here’s the human corrected transcript of this audio:

345A Welfare 12675 Taylor’sTown Town Road and be 5-20 at the request of Martinsburg P. D in Berkeley County, West Virginia. There, agency had reported to a domestic and an address in Martinsburg upon arrivals. There were signs of a struggle inside. and forced entry into the residence. Officers did not locate anyone inside, but did see multiple signs of a struggle. The female victim in her vehicle are not at the residence. They were able to ping in the victim’s cell phone, which is dropping within a mile of this address. Seen notes for further 00:57. 345A. Unit 345A. You can put 315A in service and put me on 340A’s Call I’m right down the street from him. Unit 315A you can go in service. 315A, Were you Direct? 315A I’m direct. 315A 00:58

One thing I didn’t make clear in the first draft of this blog is that the points below were based on assumptions – I have updated them based on more complete information.
A few things to help us understand what we are looking at:
  • Police cruisers are identified by three numbers followed by a letter.
  • The dispatcher calls out the current time in a 24 hour format as appropriate
  • In service means “ready to take a call”
  • “Direct” means “copy”
  • “Welfare” means the police need to check if someone is safe

So here it is in a more human readable format:

Dispatcher: 345A Welfare 12675 Taylor’sTown Road and be 5-20 at the request of Martinsburg P. D in Berkeley County, West Virginia. There, agency had reported to a domestic and an address in Martinsburg upon arrivals. There were signs of a struggle inside. and forced entry into the residence. Officers did not locate anyone inside, but did see multiple signs of a struggle. The female victim in her vehicle are not at the residence. They were able to ping in the victim’s cell phone, which is dropping within a mile of this address. Seen notes for further 00:57

345A: 345A

DIspatcher: Unit 345A?

345A: You can put 315A in service and put me on 340A’s Call I’m right down the street from him.

Dispatcher: Unit 315A you can go in service. 315A, Were you Direct?

315A: 315A I’m direct 

Dispatcher: 315A 00:58

Here’s how the data would look on a map:

When inspected:

Further work needs to be done to refine the custom vocabulary that Amazon transcription uses to create good training data. For cost reasons I want my own Tensorflow model but having well tagged data from Amazon is a first step. Once I have a working model I can tackle other challenges like training Tensorflow to classify events like I did manually on the section of audio above to make it easier to map and qualify.

Identifying Malware Using Virustotal’s Graph Feature

Lets say I’ve come across a relatively new piece of malware and all I have is a hash that’s been blocked by a firewall or other security gateway. With a little bit of digging I can determine what family of malware this file belongs to even if the information on the “Detections” page of Virustotal is vague or generic.

First step: Look up the hash of the malware on VT

Step 2: Lets take a look at Best.exe  under “Bundled files”

There is no conclusive info on what malware we are dealing with, just indicators that the file may be unsafe. Often a good way to find out what a file is doing is to run it through a more detailed sandbox like Any.Run or Hybrid-Analysis.

Step 3: Google the bundled file hash

Google does a pretty good job of indexing search results from Any.Run and Hybrid-Analysis so its a pretty good bet that this file has not been run through either platform. I did a search of this hash on both platforms but didn’t find it.

Step 4: Visualize the related files/IPs on Virustotal’s graph feature

By default contacted domains, IPs, and URLs are graphed.

Step 5: Determine what other files known to Virustotal communicate with the same IPs/URLs

We can assume that if more than one file communicates with the same URL/IP that it is probably being deployed by the same group/threat actor. Lets start by adding any files that communicate with www[dot]marinerinternationaltravel[dot]com.

Lets see if any of the other files that contact this domain are about the same size or have the same file name.

The 4 related files are within 4 kb of the file we are investigating and communicate with the same compromised host. None of the 4 hashes when googled have any sandbox results so we can move on to a different URL/IP.

Lets try graphing www[dot]katiemcgowanmakeup[dot]net

There are no sandbox results for these 3 hashes but we have found a file of the exact same size as the file we are investigating so we are on the right track.

Lets try www[dot]thebehim[dot]com

Only one of the hashes hasn’t already been checked – the other 3 were checked when we were investigating the first two domains.
Step 6:Lets google the selected hash.
Ok now we’re cooking with heat – there’s an any.run entry for this hash (https://any.run/report/cf97285aafb87aa7d1d6fef61e0b4d9b51cd957eb7cac41eda63f9e1129abf5a/a81643da-4f84-4e47-9e0f-271cb8d111e7)
The report identifies this piece of malware as formbook – an infostealer.
To confirm further that the file we have an any.run report for and the file we just have a hash for are related I graphed which domains the two files BOTH contacted.
There is more than one compromised domain that both files communicate with so this confirms that the two files were probably deployed by the same threat group and are the same or similar iterations of the same malware.
And just like that we have gone from just knowing the hash of a piece of malware to a full analysis in a sandbox in a few steps.
Bonus: Digging into the Any.Run report

It looks like spoolsv.exe is the process that’s doing the nasty stuff – data exfiltration. If we click on “more info” we can find out more about what files this process is creating and what data is sending back to the compromised domains.

The modified files tab is a good place to start since stealer malware often writes stolen data to a file before it tries to exfil it. if we inspect the first .ini file on the list we see stolen Outlook credentials. The data is all packaged up and ready to be sent out:

**************************************************

Outlook Recovery
clsid {ED475414-B0D6-11D2-8C3B-00104B2A6676}
Mini UID 2324036977
Service UID
Service Name OMSAB
MAPI Provider 2
Account Name Mobile Address Book
Preferences UID

clsid {ED475414-B0D6-11D2-8C3B-00104B2A6676}
Mini UID 2324036977
Service UID
Service Name CONTAB
MAPI Provider 2
Account Name Outlook Address Book
Preferences UID

clsid {ED475414-B0D6-11D2-8C3B-00104B2A6676}
Mini UID 590346705
Service UID
Service Name MSUPST MS
MAPI Provider 4
Account Name Outlook Data File
Preferences UID

clsid {ED475411-B0D6-11D2-8C3B-00104B2A6676}
Mini UID 224868084
Account Name honey@pot.com
Display Name HoneyPot Mail
Email honey@pot.com
POP3 Server 192.168.1.1
SMTP Server 192.168.1.1
POP3 User honey@pot.com
POP3 Password honeypass356
SMTP Secure Connection 0
Leave on Server 917507
Delivery Store EntryID  l C:\Users\admin\Documents\Outlook Files\honey@pot.com.pst
Delivery Folder EntryID

************************************************

Looking through the rest of the files created by this malware, we can see other data that would be very useful to an attacker like an attempt to steal internet explorer data and a screenshot.