Edit tour
Windows
Analysis Report
gEkl9O5tiu.exe
Overview
General Information
Sample Name: | gEkl9O5tiu.exe (renamed file extension from none to exe, renamed because original name is a hash value) |
Original Sample Name: | 2ea6c5e97869622dfe70d2b34daf564e |
Analysis ID: | 1292729 |
MD5: | 2ea6c5e97869622dfe70d2b34daf564e |
SHA1: | 45500603bf8093676b66f056924a71e04793827a |
SHA256: | 5f28bba8bd23cdb5c8a3fa018727bcf365eaf31c06b7bc8d3f3097a85db037f3 |
Infos: | |
Detection
Phorpiex
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Phorpiex
Antivirus detection for URL or domain
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Found evasive API chain (may stop execution after checking mutex)
Contains functionality to determine the online IP of the system
Changes security center settings (notifications, updates, antivirus, firewall)
Machine Learning detection for sample
May check the online IP address of the machine
Contains functionality to modify clipboard data
Send many emails (e-Mail Spam)
Machine Learning detection for dropped file
Writes a notice file (html or txt) to demand a ransom
Hides that the sample has been downloaded from the Internet (zone.identifier)
Drops executables to the windows directory (C:\Windows) and starts them
Contains functionality to detect sleep reduction / modifications
Contains functionality to check if Internet connection is working
Uses 32bit PE files
Tries to disable installed Antivirus / HIPS / PFW
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Connects to many different domains
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Installs a raw input device (often for capturing keystrokes)
Drops PE files
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Connects to several IPs in different countries
Uses SMTP (mail sending)
Found evaded block containing many API calls
PE file contains more sections than normal
Found evasive API chain (may stop execution after accessing registry keys)
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
May check if the current machine is a sandbox (GetTickCount - Sleep)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard
Classification
- System is w7x64
- gEkl9O5tiu.exe (PID: 1580 cmdline:
C:\Users\u ser\Deskto p\gEkl9O5t iu.exe MD5: 2EA6C5E97869622DFE70D2B34DAF564E) - 2550821914.exe (PID: 680 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\2550821 914.exe MD5: 90CBEADCDA0AD6D4302C36AA9FD2A53C) - sysesvcmw.exe (PID: 1384 cmdline:
C:\Windows \ sysesvcm w.exe MD5: 90CBEADCDA0AD6D4302C36AA9FD2A53C) - 1925824589.exe (PID: 1708 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\1925824 589.exe MD5: 4F74BC597A7FA3989EC09EEFA2A3D00A) - 150623101.exe (PID: 956 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\1506231 01.exe MD5: 0D539E8277F20391A31BABFF8714FDB0) - 2465513676.exe (PID: 9636 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\2465513 676.exe MD5: 41AB08C1955FCE44BFD0C76A64D1945A)
- sysesvcmw.exe (PID: 1840 cmdline:
"C:\Window s\ sysesvc mw.exe" MD5: 90CBEADCDA0AD6D4302C36AA9FD2A53C)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Phorpiex | Proofpoint describes Phorpiex/Trik as a SDBot fork (thus IRC-based) that has been used to distribute GandCrab, Pushdo, Pony, and coinminers. The name Trik is derived from PDB strings. | No Attribution |
{"C2 url": "http://185.215.113.66/", "Wallet": ["1Hw9tx4KyTq4oRoLVhPb4hjDJcLhEa4Tn6", "qr89hag2967ef604ud3lw4pq8hmn69n46czwdnx3ut", "XtxFdsKkRN3oVDXtN2ipcHeNi87basT2sL", "LXMNcn9D8FQKzGNLjdSyR9dEM8Rsh9NzyX", "rwn7tb5KQjXEjH42GgdHWHec5PPhVgqhSH", "hx7b6677c8f7049c2a6e9df0dfd422683c32e67709", "QiAmmfSSTe5fkaSLdp9mV4MDHfz27JBoVU", "RCZdkrikMCWrhBG9gNVmmE9yDcQxSUbqFd", "NDKNTURHWAMQHNHMOPJML5FKZZPQIRE4IZFSMEU2", "ARML6g7zynrwUHJbFJCCzMPiysUFXYBGgQ", "48jYpFT6bT8MTeph7VsyzCQeDsGHqdQNc2kUkRFJPzfRHHjarBvBtudPUtParMkDzZbYBrd3yntWBQcsnVBNeeMbN9EXifg", "SP1GK1GES8EXB6E15KQJ0EM169NQQNDZG8A2GDRZQ", "aCguZWA9zwz4Dk9zNyxdM96mzWnjLoxzYQ", "f1urg44xg2ziciji4akbxlkwb5y64msbmb7py5ury", "lsk5mjenfunkehcwu8mss9qd6emg3nrr78em82hwn", "zil1zucjet9qmgecmen2lm7n2pevu6pf8hg8vzgrl3", "erd1qvpwuwc2xue69enjtte7z3tekdclx9fc4769mlafc3vjt68hp5pq0s82xw", "kava14z663qgxvaq30dwdqepa6r94mhfnzww87nmz7f", "inj1s33ycsnpnh70ltzrcwvp7ahcpfwn7x9nnptsym", "osmo1nhtpu3gqq7d448u320xzkjk3j8f370v4f336xj", "3PL7YCa4akNYzuScqQwiSbtTP9q9E9PLreC", "3FerB8kUraAVGCVCNkgv57zTBjUGjAUkU3", "D9AJWrbYsidS9rAU146ifLRu1fzX9oQYSH", "DsjozoLCkxdeec5NNLTPx5zRS23UjUm7C7v", "t1gvVWHnjbGTsoWXEyoTFojc2GqEzBgvbEn", "terra1ax9ks6fmneqd997wgkdx35zntxfvswg0an2ym6", "tz1hG2rJaUJBkmwzMTw5KhzQdyPxqJAmu6k7", "bnb1cgttf7t5hu7ud3c436ufhcmy59qnkd09adqczd", "band1mgnt2v6n9x7pvfquj4ehguyhjytkjswql0uvhr", "bc1q0fusmmgycnhsd5cadsuz2hk8d4maausjfjypqg", "ronin:a77fa3ea6e09a5f3fbfcb2a42fe21b5cf0ecdd17", "bitcoincash:qr89hag2967ef604ud3lw4pq8hmn69n46czwdnx3ut", "cosmos1lc7xvs0tyl3u57vgn4nsw2kldmp84lrw75c9g4", "addr1q8m948qxhth60qzhag0d3kck7p0y5gqkvnct4w9zwqljcn0kt2wqdwh057q906s7mrd3duz7fgspve8sh2u2yupl93xsjzumrw", "nano_1m1r95bjgfgtahh3dcxeexuidpr6kr799pfuue4u9xczdkymo8rsaebc4ed4", "GAUCC7ZBSU2KJMHXOZD6AP5LOBGKNDPCDNRYP2CO2ACR63YCSUBNT5QE", "GU5ydEfPFXcUtEPqwcyX6AD7BkDAacHy4N", "EQA0PV0Evgs71IkPc8Ng0SrtM3ZZFK87K6B3SgR28VWP6rWT", "B62qpDfv86fUZc4ntrYJL6eFJZajjNKRcBuW5iPbcLNkiPekLkV8NdA"]}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Phorpiex_4 | Yara detected Phorpiex | Joe Security | ||
JoeSecurity_Phorpiex_4 | Yara detected Phorpiex | Joe Security | ||
JoeSecurity_Phorpiex_4 | Yara detected Phorpiex | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Phorpiex_4 | Yara detected Phorpiex | Joe Security | ||
JoeSecurity_Phorpiex_4 | Yara detected Phorpiex | Joe Security | ||
JoeSecurity_Phorpiex_4 | Yara detected Phorpiex | Joe Security | ||
JoeSecurity_Phorpiex_4 | Yara detected Phorpiex | Joe Security | ||
JoeSecurity_Phorpiex_4 | Yara detected Phorpiex | Joe Security | ||
Click to see the 5 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Phorpiex_4 | Yara detected Phorpiex | Joe Security | ||
JoeSecurity_Phorpiex_4 | Yara detected Phorpiex | Joe Security | ||
JoeSecurity_Phorpiex_4 | Yara detected Phorpiex | Joe Security | ||
JoeSecurity_Phorpiex_4 | Yara detected Phorpiex | Joe Security | ||
JoeSecurity_Phorpiex_4 | Yara detected Phorpiex | Joe Security | ||
Click to see the 1 entries |
⊘No Sigma rule has matched
Timestamp: | 192.168.2.2231.58.71.10154823405002044077 08/17/23-14:33:03.293413 |
SID: | 2044077 |
Source Port: | 54823 |
Destination Port: | 40500 |
Protocol: | UDP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.22182.177.175.24154823405002044077 08/17/23-14:32:48.270504 |
SID: | 2044077 |
Source Port: | 54823 |
Destination Port: | 40500 |
Protocol: | UDP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.22188.213.181.16354823405002044077 08/17/23-14:33:08.309919 |
SID: | 2044077 |
Source Port: | 54823 |
Destination Port: | 40500 |
Protocol: | UDP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.22192.168.1.14554823405002044077 08/17/23-14:32:08.081550 |
SID: | 2044077 |
Source Port: | 54823 |
Destination Port: | 40500 |
Protocol: | UDP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.222.180.154.24354823405002044077 08/17/23-14:32:43.263228 |
SID: | 2044077 |
Source Port: | 54823 |
Destination Port: | 40500 |
Protocol: | UDP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.2291.98.7.4254823405002044077 08/17/23-14:32:53.279443 |
SID: | 2044077 |
Source Port: | 54823 |
Destination Port: | 40500 |
Protocol: | UDP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.222.180.17.9154823405002044077 08/17/23-14:32:23.198989 |
SID: | 2044077 |
Source Port: | 54823 |
Destination Port: | 40500 |
Protocol: | UDP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.22185.177.0.20154823405002044077 08/17/23-14:32:13.184875 |
SID: | 2044077 |
Source Port: | 54823 |
Destination Port: | 40500 |
Protocol: | UDP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.222.185.229.6854823405002044077 08/17/23-14:32:18.190445 |
SID: | 2044077 |
Source Port: | 54823 |
Destination Port: | 40500 |
Protocol: | UDP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.222.176.69.25054823405002044077 08/17/23-14:32:38.244092 |
SID: | 2044077 |
Source Port: | 54823 |
Destination Port: | 40500 |
Protocol: | UDP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.22178.236.111.15654823405002044077 08/17/23-14:32:33.222711 |
SID: | 2044077 |
Source Port: | 54823 |
Destination Port: | 40500 |
Protocol: | UDP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.2259.91.192.11754823405002044077 08/17/23-14:32:03.067553 |
SID: | 2044077 |
Source Port: | 54823 |
Destination Port: | 40500 |
Protocol: | UDP |
Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Malware Configuration Extractor: |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: |
Source: | Avira: |
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: |
Source: | Joe Sandbox ML: |
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: |
Source: | Code function: | 4_2_0040A870 | |
Source: | Code function: | 5_2_0040A870 | |
Source: | Code function: | 6_2_0040A870 |
Phishing |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Static PE information: |
Source: | File opened: | Jump to behavior |
Source: | Static PE information: |
Source: | Code function: | 4_2_00404E80 | |
Source: | Code function: | 4_2_00404FC0 | |
Source: | Code function: | 5_2_00404E80 | |
Source: | Code function: | 5_2_00404FC0 | |
Source: | Code function: | 6_2_00404E80 | |
Source: | Code function: | 6_2_00404FC0 |
Networking |
---|
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: |
Source: | Code function: | 9_2_00EA17D0 |
Source: | DNS query: | ||
Source: | DNS query: |
Source: | Code function: | 4_2_00409540 | |
Source: | Code function: | 5_2_00409540 | |
Source: | Code function: | 6_2_00409540 |
Source: | IP Address: |
Source: | Network traffic detected: |
Source: | HTTP traffic detected: |