Edit tour
Windows
Analysis Report
PIyT9A3jfC.exe
Overview
General Information
| Sample Name: | PIyT9A3jfC.exe (renamed file extension from none to exe, renamed because original name is a hash value) |
| Original Sample Name: | db47df7cf51747e533c968da7452f1ce6d20f465d7fcd6e2eac559266ac3e9ed |
| Analysis ID: | 1281447 |
| MD5: | ca67c9c17a701b0664b90de372acdfb1 |
| SHA1: | 8d7e388b5d276816279ef37e7cab9cd554251737 |
| SHA256: | db47df7cf51747e533c968da7452f1ce6d20f465d7fcd6e2eac559266ac3e9ed |
| Infos: |  |
 | |
Detection
Pushdo
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Yara detected Backdoor Pushdo
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Detected unpacking (creates a PE file in dynamic memory)
Snort IDS alert for network traffic
Machine Learning detection for sample
Injects a PE file into a foreign processes
Send many emails (e-Mail Spam)
Contains functionality to inject code into remote processes
Machine Learning detection for dropped file
Drops PE files to the user root directory
Contains functionality to inject threads in other processes
Tries to resolve many domain names, but no domain seems valid
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Connects to many different domains
Contains long sleeps (>= 3 min)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Connects to several IPs in different countries
Uses SMTP (mail sending)
Drops PE files to the user directory
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Classification
- System is w10x64
PIyT9A3jfC.exe (PID: 7016 cmdline: C:\Users\u ser\Deskto p\PIyT9A3j fC.exe MD5: CA67C9C17A701B0664B90DE372ACDFB1) - svchost.exe (PID: 4588 cmdline:
C:\Windows \system32\ svchost.ex e MD5: FA6C268A5B5BDA067A901764D203D433) - svchost.exe (PID: 6632 cmdline:
C:\Windows \system32\ svchost.ex e MD5: FA6C268A5B5BDA067A901764D203D433)
- pigalicapi.exe (PID: 6532 cmdline:
"C:\Users\ user\pigal icapi.exe" MD5: CA67C9C17A701B0664B90DE372ACDFB1) - svchost.exe (PID: 3616 cmdline:
C:\Windows \system32\ svchost.ex e MD5: FA6C268A5B5BDA067A901764D203D433) - svchost.exe (PID: 6664 cmdline:
C:\Windows \system32\ svchost.ex e MD5: FA6C268A5B5BDA067A901764D203D433) - svchost.exe (PID: 3736 cmdline:
C:\Windows \system32\ svchost.ex e MD5: FA6C268A5B5BDA067A901764D203D433) - svchost.exe (PID: 3788 cmdline:
C:\Windows \system32\ svchost.ex e MD5: FA6C268A5B5BDA067A901764D203D433) - svchost.exe (PID: 5328 cmdline:
C:\Windows \system32\ svchost.ex e MD5: FA6C268A5B5BDA067A901764D203D433)
- pigalicapi.exe (PID: 6764 cmdline:
"C:\Users\ user\pigal icapi.exe" MD5: CA67C9C17A701B0664B90DE372ACDFB1) - svchost.exe (PID: 6964 cmdline:
C:\Windows \system32\ svchost.ex e MD5: FA6C268A5B5BDA067A901764D203D433)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Pushdo | Pushdo is usually classified as a "downloader" trojan - meaning its true purpose is to download and install additional malicious software. There are dozens of downloader trojan families out there, but Pushdo is actually more sophisticated than most, but that sophistication lies in the Pushdo control server rather than the trojan. | No Attribution |
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Pushdo | Yara detected Backdoor Pushdo | Joe Security | ||
| JoeSecurity_Pushdo | Yara detected Backdoor Pushdo | Joe Security | ||
| JoeSecurity_Pushdo | Yara detected Backdoor Pushdo | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Pushdo | Yara detected Backdoor Pushdo | Joe Security | ||
| JoeSecurity_Pushdo | Yara detected Backdoor Pushdo | Joe Security | ||
| JoeSecurity_Pushdo | Yara detected Backdoor Pushdo | Joe Security | ||
| JoeSecurity_Pushdo | Yara detected Backdoor Pushdo | Joe Security | ||
| JoeSecurity_Pushdo | Yara detected Backdoor Pushdo | Joe Security | ||
| Click to see the 3 entries | ||||
⊘No Sigma rule has matched
| Timestamp: | 192.168.2.4188.114.97.749682802016867 07/27/23-21:42:53.737718 |
| SID: | 2016867 |
| Source Port: | 49682 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | ReversingLabs: | |||
| Source: | Virustotal: | Perma Link | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | ReversingLabs: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
Compliance | |
|---|
| Source: | Unpacked PE file: | ||
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 1_2_01191989 | |
| Source: | Code function: | 1_2_01195EA0 | |
| Source: | Code function: | 3_2_00FC1989 | |
| Source: | Code function: | 3_2_00FC5EA0 | |
Networking | |
|---|
| Source: | Domain query: | |||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Domain query: | |||
| Source: | Domain query: | |||
| Source: | Network Connect: | |||
| Source: | Domain query: | |||
| Source: | Network Connect: | |||
| Source: | Domain query: | |||
| Source: | Domain query: | |||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | |||
| Source: | Domain query: | |||
| Source: | Network Connect: | |||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Domain query: | |||
| Source: | Domain query: | |||
| Source: | Domain query: | |||
| Source: | Domain query: | |||
| Source: | Network Connect: | |||
| Source: | Domain query: | |||
| Source: | Domain query: | |||
| Source: | Domain query: | |||
| Source: | Network Connect: | |||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Domain query: | |||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | |||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | |||
| Source: | Domain query: | |||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Domain query: | |||
| Source: | Domain query: | |||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Domain query: | |||
| Source: | Network Connect: | |||
| Source: | Domain query: | |||
| Source: | Domain query: | |||
| Source: | Domain query: | |||
| Source: | Domain query: | |||
| Source: | Domain query: | |||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Domain query: | |||
| Source: | Domain query: | |||
| Source: | Domain query: | |||
| Source: | Domain query: | |||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Domain query: | |||
| Source: | Domain query: | |||
| Source: | Network Connect: | |||
| Source: | Network Connect: | |||
| Source: | Network Connect: | |||
| Source: | Domain query: | |||
| Source: | Domain query: | |||
| Source: | Network Connect: | |||
| Source: | Domain query: | |||
| Source: | Domain query: | |||
| Source: | Network Connect: | |||
| Source: | Network Connect: | |||
| Source: | Domain query: | |||
| Source: | Domain query: | |||
| Source: | Domain query: | |||
| Source: | Domain query: | |||
| Source: | Domain query: | |||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Domain query: | |||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | |||
| Source: | Domain query: | |||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Domain query: | |||
| Source: | Domain query: | |||
| Source: | Domain query: | |||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | |||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Domain query: | |||
| Source: | Network Connect: | |||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | |||
| Source: | Domain query: | |||
| Source: | Network Connect: | |||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | |||
| Source: | Domain query: | |||
| Source: | Domain query: | |||
| Source: | Domain query: | |||
| Source: | Domain query: | |||
| Source: | Network Connect: | |||
| Source: | Domain query: | |||
| Source: | Domain query: | |||
| Source: | Network Connect: | |||
| Source: | Domain query: | |||
| Source: | Domain query: | |||
| Source: | Domain query: | |||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Domain query: | |||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Domain query: | |||
| Source: | Network Connect: | |||
| Source: | Domain query: | |||
| Source: | Domain query: | |||
| Source: | Network Connect: | |||
| Source: | Domain query: | |||
| Source: | Network Connect: | |||
| Source: | Domain query: | |||
| Source: | Domain query: | |||
| Source: | Domain query: | |||
| Source: | Network Connect: | |||
| Source: | Domain query: | |||
| Source: | Domain query: | |||
| Source: | Domain query: | |||
| Source: | Network Connect: | |||
| Source: | Domain query: | |||
| Source: | Network Connect: | |||
| Source: | Network Connect: | |||
| Source: | Domain query: | |||
| Source: | Domain query: | |||
| Source: | Network Connect: | |||
| Source: | Domain query: | |||
| Source: | Domain query: | |||
| Source: | Domain query: | |||
| Source: | Domain query: | |||
| Source: | Domain query: | |||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | |||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Domain query: | |||
| Source: | Network Connect: | |||
| Source: | Domain query: | |||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Domain query: | |||
| Source: | Domain query: | |||
| Source: | Domain query: | |||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Domain query: | |||
| Source: | Network Connect: | |||
| Source: | Domain query: | |||
| Source: | Domain query: | |||
| Source: | Domain query: | |||
| Source: | Domain query: | |||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Domain query: | |||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Domain query: | |||
| Source: | Domain query: | |||
| Source: | Domain query: | |||
| Source: | Network Connect: | |||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Domain query: | |||
| Source: | Network Connect: | |||
| Source: | Network Connect: | |||
| Source: | Network Connect: | |||
| Source: | Domain query: | |||
| Source: | Network Connect: | |||
| Source: | Domain query: | |||
| Source: | Domain query: | |||
| Source: | Network Connect: | |||
| Source: | Domain query: | |||
| Source: | Domain query: | |||
| Source: | Domain query: | |||
| Source: | Domain query: | |||
| Source: | Domain query: | |||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | |||
| Source: | Domain query: | |||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Domain query: | |||
| Source: | Network Connect: | |||
| Source: | Domain query: | |||
| Source: | Domain query: | |||
| Source: | Domain query: | |||
| Source: | Network Connect: | |||
| Source: | Domain query: | |||
| Source: | Snort IDS: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | ASN Name: | ||
| Source: | JA3 fingerprint: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||