Edit tour
Windows
Analysis Report
KMPrEVaSfH.exe
Overview
General Information
| Sample name: | KMPrEVaSfH.exerenamed because original name is a hash value |
| Original sample name: | 69d761d941e1a7a4721e267e91167b3a.exe |
| Analysis ID: | 1389422 |
| MD5: | 69d761d941e1a7a4721e267e91167b3a |
| SHA1: | 7e83135738bdd132a8c9da031b4794852cfc9f8b |
| SHA256: | c6d317e1eb756b3577414068ac20fc445921f4edd86bef21dbab2d89920e4649 |
| Tags: | ArkeiStealerexe |
| Infos: |   |
 | |
Detection
LummaC, Babuk, Djvu, LummaC Stealer, PureLog Stealer, RedLine, SmokeLoader
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Benign windows process drops PE files
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found ransom note / readme
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected Babuk Ransomware
Yara detected Djvu Ransomware
Yara detected LummaC Stealer
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected UAC Bypass using CMSTP
Yara detected Vidar stealer
Yara detected zgRAT
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates multiple autostart registry keys
Deletes itself after installation
Drops PE files to the startup folder
Drops PE files with benign system names
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies existing user documents (likely ransomware behavior)
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: System File Execution Location Anomaly
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Writes a notice file (html or txt) to demand a ransom
Yara detected Costura Assembly Loader
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Connects to several IPs in different countries
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Startup Folder File Write
Sigma detected: Uncommon Svchost Parent Process
Stores files to the Windows start menu directory
Tries to load missing DLLs
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a Windows Living Off The Land Binaries (LOL bins)
Uses a known web browser user agent for HTTP communication
Uses cacls to modify the permissions of files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64
KMPrEVaSfH.exe (PID: 1248 cmdline: C:\Users\u ser\Deskto p\KMPrEVaS fH.exe MD5: 69D761D941E1A7A4721E267E91167B3A) 
explorer.exe (PID: 1028 cmdline: C:\Windows \Explorer. EXE MD5: 662F4F92FDE3557E86D110526BB578D5) - BDBB.exe (PID: 4204 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\BDBB.ex e MD5: 69D761D941E1A7A4721E267E91167B3A) 
WerFault.exe (PID: 5788 cmdline: C:\Windows \SysWOW64\ WerFault.e xe -u -p 4 204 -s 360 MD5: C31336C1EFC2CCB44B4326EA793040F2) 
EE23.exe (PID: 1784 cmdline: C:\Users\u ser\AppDat a\Local\Te mp\EE23.ex e MD5: A2B38EDE1742205C46B74CE044287FB9) - EE23.exe (PID: 2284 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\EE23.ex e MD5: A2B38EDE1742205C46B74CE044287FB9) 
icacls.exe (PID: 6752 cmdline: icacls "C: \Users\use r\AppData\ Local\149a 1800-3150- 4d5d-a89e- b5c51b72b1 f9" /deny *S-1-1-0:( OI)(CI)(DE ,DC) MD5: 2E49585E4E08565F52090B144062F97E) - EE23.exe (PID: 5644 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\EE23.e xe" --Admi n IsNotAut oStart IsN otTask MD5: A2B38EDE1742205C46B74CE044287FB9) - EE23.exe (PID: 5876 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\EE23.e xe" --Admi n IsNotAut oStart IsN otTask MD5: A2B38EDE1742205C46B74CE044287FB9) 
build2.exe (PID: 432 cmdline: "C:\Users\ user\AppDa ta\Local\e 67ac349-44 89-4d00-b3 70-e055cce 7f968\buil d2.exe" MD5: A0CC1241AA4803DC23FF778AF73E3768) - build2.exe (PID: 2576 cmdline:
"C:\Users\ user\AppDa ta\Local\e 67ac349-44 89-4d00-b3 70-e055cce 7f968\buil d2.exe" MD5: A0CC1241AA4803DC23FF778AF73E3768) 
cmd.exe (PID: 5712 cmdline: "C:\Window s\system32 \cmd.exe" /c timeout /t 5 & de l /f /q "C :\Users\us er\AppData \Local\e67 ac349-4489 -4d00-b370 -e055cce7f 968\build2 .exe" & de l "C:\Prog ramData\*. dll"" & ex it MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 5356 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - timeout.exe (PID: 6448 cmdline:
timeout /t 5 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3) - EE23.exe (PID: 5824 cmdline:
"C:\Users\ user\AppDa ta\Local\1 49a1800-31 50-4d5d-a8 9e-b5c51b7 2b1f9\EE23 .exe" --Au toStart MD5: A2B38EDE1742205C46B74CE044287FB9) - EE23.exe (PID: 2836 cmdline:
"C:\Users\ user\AppDa ta\Local\1 49a1800-31 50-4d5d-a8 9e-b5c51b7 2b1f9\EE23 .exe" --Au toStart MD5: A2B38EDE1742205C46B74CE044287FB9) - EE23.exe (PID: 6324 cmdline:
"C:\Users\ user\AppDa ta\Local\1 49a1800-31 50-4d5d-a8 9e-b5c51b7 2b1f9\EE23 .exe" --Au toStart MD5: A2B38EDE1742205C46B74CE044287FB9) - EE23.exe (PID: 3292 cmdline:
"C:\Users\ user\AppDa ta\Local\1 49a1800-31 50-4d5d-a8 9e-b5c51b7 2b1f9\EE23 .exe" --Au toStart MD5: A2B38EDE1742205C46B74CE044287FB9) 
84F5.exe (PID: 4140 cmdline: C:\Users\u ser\AppDat a\Local\Te mp\84F5.ex e MD5: 95E59305AD61119CF15EE95562BD05BA) - WerFault.exe (PID: 5020 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 4 140 -s 154 8 MD5: C31336C1EFC2CCB44B4326EA793040F2) - WerFault.exe (PID: 4164 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 4 140 -s 148 4 MD5: C31336C1EFC2CCB44B4326EA793040F2) 
E5F3.exe (PID: 3628 cmdline: C:\Users\u ser\AppDat a\Local\Te mp\E5F3.ex e MD5: 35FFEFA212414C2538DF410E5AD3AFA7) - 3EE1.exe (PID: 5248 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\3EE1.ex e MD5: 422A9C5CFA6370C93A4BD5DB29C3D196) - BA7B.exe (PID: 432 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\BA7B.ex e MD5: CD2B5A09EFDAC0FFBD76111F44733138) - cmd.exe (PID: 3348 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\User s\user\App Data\Local \Temp\tmpA 28E.tmp.ba t"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 4276 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - timeout.exe (PID: 3060 cmdline:
timeout 3 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3) - svchost.exe (PID: 2428 cmdline:
"C:\Users\ user\AppDa ta\Roaming \svchost.e xe" MD5: CD2B5A09EFDAC0FFBD76111F44733138) 
cmstp.exe (PID: 1720 cmdline: "c:\window s\system32 \cmstp.exe " /au C:\w indows\tem p\chpkcaqm .inf MD5: D7AABFAB5BEFD53BA3A27BD48F3CC675)
- ubrawdb (PID: 4712 cmdline:
C:\Users\u ser\AppDat a\Roaming\ ubrawdb MD5: 69D761D941E1A7A4721E267E91167B3A)
- svchost.exe (PID: 4592 cmdline:
C:\Windows \System32\ svchost.ex e -k WerSv cGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - WerFault.exe (PID: 4372 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -pss -s 452 -p 42 04 -ip 420 4 MD5: C31336C1EFC2CCB44B4326EA793040F2) - WerFault.exe (PID: 3192 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -pss -s 576 -p 41 40 -ip 414 0 MD5: C31336C1EFC2CCB44B4326EA793040F2) - WerFault.exe (PID: 2232 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -pss -s 456 -p 41 40 -ip 414 0 MD5: C31336C1EFC2CCB44B4326EA793040F2)
- svchost.exe (PID: 5636 cmdline:
C:\Windows \system32\ svchost.ex e -k netsv cs -p -s w lidsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- svchost.exe (PID: 5152 cmdline:
C:\Windows \system32\ svchost.ex e -k netsv cs -p -s A ppinfo MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- EE23.exe (PID: 5968 cmdline:
C:\Users\u ser\AppDat a\Local\14 9a1800-315 0-4d5d-a89 e-b5c51b72 b1f9\EE23. exe --Task MD5: A2B38EDE1742205C46B74CE044287FB9) - EE23.exe (PID: 3560 cmdline:
C:\Users\u ser\AppDat a\Local\14 9a1800-315 0-4d5d-a89 e-b5c51b72 b1f9\EE23. exe --Task MD5: A2B38EDE1742205C46B74CE044287FB9)
- svchost.exe (PID: 7116 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s B ITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Lumma Stealer, LummaC2 Stealer | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. | No Attribution |
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Babuk | Babuk Ransomware is a sophisticated ransomware compiled for several platforms. Windows and ARM for Linux are the most used compiled versions, but ESX and a 32bit old PE executable were observed over time. as well It uses an Elliptic Curve Algorithm (Montgomery Algorithm) to build the encryption keys. | No Attribution |
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| STOP, Djvu | STOP Djvu Ransomware it is a ransomware which encrypts user data through AES-256 and adds one of the dozen available extensions as marker to the encrypted file's name. It is not used to encrypt the entire file but only the first 5 MB. In its original version it was able to run offline and, in that case, it used a hard-coded key which could be extracted to decrypt files. | No Attribution |
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| RedLine Stealer | RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. | No Attribution |
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| SmokeLoader | The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body. |
{"C2 url": ["sofahuntingslidedine.shop", "culturesketchfinanciall.shop", "triangleseasonbenchwj.shop", "modestessayevenmilwek.shop", "liabilityarrangemenyit.shop", "claimconcessionrebe.shop", "secretionsuitcasenioise.shop", "gemcreedarticulateod.shop", "exitassumebangpastcone.shop", "sofahuntingslidedine.shop", "culturesketchfinanciall.shop", "triangleseasonbenchwj.shop", "modestessayevenmilwek.shop", "liabilityarrangemenyit.shop", "claimconcessionrebe.shop", "secretionsuitcasenioise.shop", "gemcreedarticulateod.shop", "exitassumebangpastcone.shop"], "Build id": "AmNsA2--afra"}{"Version": 2022, "C2 list": ["http://trad-einmyus.com/index.php", "http://tradein-myus.com/index.php", "http://trade-inmyus.com/index.php"]}{"Download URLs": ["http://brusuax.com/dl/build2.exe", "http://habrafa.com/files/1/build3.exe"], "C2 url": "http://habrafa.com/test1/get.php", "Ransom note file": "_README.txt", "Ransom note": "ATTENTION!\r\n\r\nDon't worry, you can return all your files!\r\nAll your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.\r\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\r\nThis software will decrypt all your encrypted files.\r\nWhat guarantees you have?\r\nYou can send one of your encrypted file from your PC and we decrypt it for free.\r\nBut we can decrypt only 1 file for free. File must not contain valuable information.\r\nDo not ask assistants from youtube and recovery data sites for help in recovering your data.\r\nThey can use your free decryption quota and scam you.\r\nOur contact is emails in this text document only.\r\nYou can get and look video overview decrypt tool:\r\nhttps://we.tl/t-hPAqznkJKD\r\nPrice of private key and decrypt software is $999.\r\nDiscount 50% available if you contact us first 72 hours, that's price for you is $499.\r\nPlease note that you'll never restore your data without payment.\r\nCheck your e-mail \"Spam\" or \"Junk\" folder if you don't get answer more than 6 hours.\r\n\r\n\r\nTo get this software you need write on our e-mail:\r\nsupport@freshingmail.top\r\n\r\nReserve e-mail address to contact us:\r\ndatarestorehelpyou@airmail.cc\r\n\r\nYour personal ID:\r\n0849ASdw", "Ignore Files": ["ntuser.dat", "ntuser.dat.LOG1", "ntuser.dat.LOG2", "ntuser.pol", ".sys", ".ini", ".DLL", ".dll", ".blf", ".bat", ".lnk", ".regtrans-ms", "C:\\SystemID\\", "C:\\Users\\Default User\\", "C:\\Users\\Public\\", "C:\\Users\\All Users\\", "C:\\Users\\Default\\", "C:\\Documents and Settings\\", "C:\\ProgramData\\", "C:\\Recovery\\", "C:\\System Volume Information\\", "C:\\Users\\%username%\\AppData\\Roaming\\", "C:\\Users\\%username%\\AppData\\Local\\", "C:\\Windows\\", "C:\\PerfLogs\\", "C:\\ProgramData\\Microsoft\\", "C:\\ProgramData\\Package Cache\\", "C:\\Users\\Public\\", "C:\\$Recycle.Bin\\", "C:\\$WINDOWS.~BT\\", "C:\\dell\\", "C:\\Intel\\", "C:\\MSOCache\\", "C:\\Program Files\\", "C:\\Program Files (x86)\\", "C:\\Games\\", "C:\\Windows.old\\", "D:\\Users\\%username%\\AppData\\Roaming\\", "D:\\Users\\%username%\\AppData\\Local\\", "D:\\Windows\\", "D:\\PerfLogs\\", "D:\\ProgramData\\Desktop\\", "D:\\ProgramData\\Microsoft\\", "D:\\ProgramData\\Package Cache\\", "D:\\Users\\Public\\", "D:\\$Recycle.Bin\\", "D:\\$WINDOWS.~BT\\", "D:\\dell\\", "D:\\Intel\\", "D:\\MSOCache\\", "D:\\Program Files\\", "D:\\Program Files (x86)\\", "D:\\Games\\", "E:\\Users\\%username%\\AppData\\Roaming\\", "E:\\Users\\%username%\\AppData\\Local\\", "E:\\Windows\\", "E:\\PerfLogs\\", "E:\\ProgramData\\Desktop\\", "E:\\ProgramData\\Microsoft\\", "E:\\ProgramData\\Package Cache\\", "E:\\Users\\Public\\", "E:\\$Recycle.Bin\\", "E:\\$WINDOWS.~BT\\", "E:\\dell\\", "E:\\Intel\\", "E:\\MSOCache\\", "E:\\Program Files\\", "E:\\Program Files (x86)\\", "E:\\Games\\", "F:\\Users\\%username%\\AppData\\Roaming\\", "F:\\Users\\%username%\\AppData\\Local\\", "F:\\Windows\\", "F:\\PerfLogs\\", "F:\\ProgramData\\Desktop\\", "F:\\ProgramData\\Microsoft\\", "F:\\Users\\Public\\", "F:\\$Recycle.Bin\\", "F:\\$WINDOWS.~BT\\", "F:\\dell\\", "F:\\Intel\\"], "Public Key": "-----BEGIN PUBLIC KEY-----\\\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxNW5PuCq3eD+NuWPeUf0\\\\nDjxqm4Rl68hx+wN5scCMO43zRgzSLhdoIPuf2b8AKAB\\/jsChsRqvDVd6y8mzsIKe\\\\nnChXDE1jvtgWpSRPW\\/CxMFID0byQaSSLLKzGwmJ\\/VNb8O2ywG1si0MaENyBfurKx\\\\nlD\\/vPJwPUIHLaiQ6S4JQo43IeOABv5y8opZFp6MP4u\\/pKneNN4rZ9YD1FeX\\/DlLj\\\\n\\/Znm2LiZcoo4LTGK0pwQ2+FMd+tpYI1M5RHnDZwEETPt3QfIMMnnldvAsIUlr34n\\\\nlPVEQGOGu8KQmwm+5UyAZ6+x6pmkK7UK1i3oA6hbB\\/V\\/Bqd90OlHP1avT78Xnjcc\\\\nxwIDAQAB\\\\n-----END PUBLIC KEY-----"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_RedLine_1 | Yara detected RedLine Stealer | Joe Security | ||
| JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| Windows_Trojan_Smokeloader_3687686f | unknown | unknown |
| |
| Windows_Trojan_Smokeloader_3687686f | unknown | unknown |
| |
| JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
| JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
| JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | ||
| Click to see the 115 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_zgRAT_1 | Yara detected zgRAT | Joe Security | ||
| JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
| JoeSecurity_zgRAT_1 | Yara detected zgRAT | Joe Security | ||
| JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
| Click to see the 124 entries | ||||
System Summary |   |
|---|
| Source: | Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: | ||
| Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): | ||
| Source: | Author: Max Altgelt (Nextron Systems): | ||
| Source: | Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: vburov: | ||
| Timestamp: | 192.168.2.5185.12.126.18249712802039103 02/08/24-20:17:16.198275 |
| SID: | 2039103 |
| Source Port: | 49712 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.5185.12.126.18249753802039103 02/08/24-20:17:39.649713 |
| SID: | 2039103 |
| Source Port: | 49753 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.5185.12.126.18249741802039103 02/08/24-20:17:36.031132 |
| SID: | 2039103 |
| Source Port: | 49741 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.5185.12.126.18249715802039103 02/08/24-20:17:17.712105 |
| SID: | 2039103 |
| Source Port: | 49715 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.5185.12.126.18249721802039103 02/08/24-20:17:22.381426 |
| SID: | 2039103 |
| Source Port: | 49721 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.5185.12.126.18249747802039103 02/08/24-20:17:37.582726 |
| SID: | 2039103 |
| Source Port: | 49747 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.5185.12.126.18249738802039103 02/08/24-20:17:35.542917 |
| SID: | 2039103 |
| Source Port: | 49738 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.5185.12.126.18249735802039103 02/08/24-20:17:34.530094 |
| SID: | 2039103 |
| Source Port: | 49735 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.5185.12.126.18249723802039103 02/08/24-20:17:24.945601 |
| SID: | 2039103 |
| Source Port: | 49723 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.5185.12.126.18249752802039103 02/08/24-20:17:39.142330 |
| SID: | 2039103 |
| Source Port: | 49752 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.5185.12.126.18249719802039103 02/08/24-20:17:21.338440 |
| SID: | 2039103 |
| Source Port: | 49719 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.5185.12.126.18249714802039103 02/08/24-20:17:17.184195 |
| SID: | 2039103 |
| Source Port: | 49714 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.5185.12.126.18249749802039103 02/08/24-20:17:38.118115 |
| SID: | 2039103 |
| Source Port: | 49749 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.5185.12.126.18249720802039103 02/08/24-20:17:21.843709 |
| SID: | 2039103 |
| Source Port: | 49720 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.5185.12.126.18249731802039103 02/08/24-20:17:33.496693 |
| SID: | 2039103 |
| Source Port: | 49731 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.5185.12.126.18249737802039103 02/08/24-20:17:35.042605 |
| SID: | 2039103 |
| Source Port: | 49737 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.5196.188.169.13849750802036333 02/08/24-20:17:38.402909 |
| SID: | 2036333 |
| Source Port: | 49750 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.5196.188.169.13849750802020826 02/08/24-20:17:38.402909 |
| SID: | 2020826 |
| Source Port: | 49750 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.5185.12.126.18249717802039103 02/08/24-20:17:20.307275 |
| SID: | 2039103 |
| Source Port: | 49717 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.5185.12.126.18249722802039103 02/08/24-20:17:22.966962 |
| SID: | 2039103 |
| Source Port: | 49722 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.5185.12.126.18249725802039103 02/08/24-20:17:25.446372 |
| SID: | 2039103 |
| Source Port: | 49725 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.5185.12.126.18249713802039103 02/08/24-20:17:16.690474 |
| SID: | 2039103 |
| Source Port: | 49713 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.5185.12.126.18249742802039103 02/08/24-20:17:36.544606 |
| SID: | 2039103 |
| Source Port: | 49742 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.5185.12.126.18249730802039103 02/08/24-20:17:32.827743 |
| SID: | 2039103 |
| Source Port: | 49730 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.5185.12.126.18249745802039103 02/08/24-20:17:37.053237 |
| SID: | 2039103 |
| Source Port: | 49745 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.5185.12.126.18249751802039103 02/08/24-20:17:38.630159 |
| SID: | 2039103 |
| Source Port: | 49751 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.5185.12.126.18249718802039103 02/08/24-20:17:20.842678 |
| SID: | 2039103 |
| Source Port: | 49718 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.5185.12.126.18249733802039103 02/08/24-20:17:34.008544 |
| SID: | 2039103 |
| Source Port: | 49733 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Avira: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Malware Configuration Extractor: | ||