Edit tour
Windows
Analysis Report
m5EyzJ7S8S.exe
Overview
General Information
| Sample name: | m5EyzJ7S8S.exerenamed because original name is a hash value |
| Original sample name: | 7826a4e8cd6e6f117eef43d8c28c5376.exe |
| Analysis ID: | 1401951 |
| MD5: | 7826a4e8cd6e6f117eef43d8c28c5376 |
| SHA1: | e1ad309d3336d6f160cdec53e792f246fead055b |
| SHA256: | f7b3ea13abebeb99ddfd4319457ff2d8a8473b8a46963de047cce295abadd2eb |
| Tags: | exe |
| Infos: |   |
 | |
Detection
Amadey, Glupteba, LummaC Stealer, Mars Stealer, SmokeLoader, Stealc, Vidar
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for dropped file
Benign windows process drops PE files
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
UAC bypass detected (Fodhelper)
Yara detected Amadeys stealer DLL
Yara detected Glupteba
Yara detected LummaC Stealer
Yara detected Mars stealer
Yara detected SmokeLoader
Yara detected Stealc
Yara detected UAC Bypass using CMSTP
Yara detected Vidar stealer
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to infect the boot sector
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Drops PE files with benign system names
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Potentially malicious time measurement code found
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: System File Execution Location Anomaly
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (file name check)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Connects to several IPs in different countries
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops files with a non-matching file extension (content does not match file extension)
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Registers a DLL
Sample file is different than original file name gathered from version info
Searches for user specific document files
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Tries to load missing DLLs
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64
m5EyzJ7S8S.exe (PID: 3816 cmdline: C:\Users\u ser\Deskto p\m5EyzJ7S 8S.exe MD5: 7826A4E8CD6E6F117EEF43D8C28C5376) 
explorer.exe (PID: 3504 cmdline: C:\Windows \Explorer. EXE MD5: 662F4F92FDE3557E86D110526BB578D5) 
regsvr32.exe (PID: 1556 cmdline: regsvr32 / s C:\Users \user\AppD ata\Local\ Temp\240C. dll MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E) - regsvr32.exe (PID: 3280 cmdline:
/s C:\Use rs\user\Ap pData\Loca l\Temp\240 C.dll MD5: 878E47C8656E53AE8A8A21E927C6F7E0) 
2853.exe (PID: 1824 cmdline: C:\Users\u ser\AppDat a\Local\Te mp\2853.ex e MD5: 24001C12FE58E9B0D169EB051103A0CB) - 2853.exe (PID: 3108 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\2853.ex e MD5: 24001C12FE58E9B0D169EB051103A0CB) - 3738.exe (PID: 1944 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\3738.ex e MD5: 6774705F396746ECDD7B8CF62DDAF04D) 
4265.exe (PID: 2228 cmdline: C:\Users\u ser\AppDat a\Local\Te mp\4265.ex e MD5: A1B5EE1B9649AB629A7AC257E2392F8D) 
WerFault.exe (PID: 6468 cmdline: C:\Windows \SysWOW64\ WerFault.e xe -u -p 2 228 -s 764 MD5: C31336C1EFC2CCB44B4326EA793040F2) - 4ED9.exe (PID: 4568 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\4ED9.ex e MD5: 6774705F396746ECDD7B8CF62DDAF04D) - 68AC.exe (PID: 2136 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\68AC.ex e MD5: 2C7078B90CAEE9D791DD338C2441CA32) 
InstallSetup_four.exe (PID: 2016 cmdline: "C:\Users\ user\AppDa ta\Local\T emp\Instal lSetup_fou r.exe" MD5: 0564A9BF638169A89CCB3820A6B9A58E) 
u1k0.0.exe (PID: 5612 cmdline: "C:\Users\ user\AppDa ta\Local\T emp\u1k0.0 .exe" MD5: 1F7B5A56F01B1E95450AA9517EB7BCC2) 
u1k0.1.exe (PID: 4464 cmdline: "C:\Users\ user\AppDa ta\Local\T emp\u1k0.1 .exe" MD5: 5B87828EA000C7111084D8BEED17175E) - WerFault.exe (PID: 3784 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 2 016 -s 456 MD5: C31336C1EFC2CCB44B4326EA793040F2) 
288c47bbc1871b439df19ff4df68f076.exe (PID: 6996 cmdline: "C:\Users\ user\AppDa ta\Local\T emp\288c47 bbc1871b43 9df19ff4df 68f076.exe " MD5: 0C7B8DAA9B09BCDF947A020BF28C2F19) 
7203.exe (PID: 6968 cmdline: C:\Users\u ser\AppDat a\Local\Te mp\7203.ex e MD5: EEE01D0D94C99904E56EBC1EEC2E6F50) - 7203.tmp (PID: 3152 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\is-VEK J5.tmp\720 3.tmp" /SL 5="$20414, 2460127,56 832,C:\Use rs\user\Ap pData\Loca l\Temp\720 3.exe" MD5: D7A5DDED475AF583CB93C9E250A003A6) - 7203.exe (PID: 3656 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\7203.e xe" /SPAWN WND=$2042E /NOTIFYWN D=$20414 MD5: EEE01D0D94C99904E56EBC1EEC2E6F50) - 7203.tmp (PID: 4292 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\is-OIK I7.tmp\720 3.tmp" /SL 5="$9007A, 2460127,56 832,C:\Use rs\user\Ap pData\Loca l\Temp\720 3.exe" /SP AWNWND=$20 42E /NOTIF YWND=$2041 4 MD5: D7A5DDED475AF583CB93C9E250A003A6) 
smtpproxy32.exe (PID: 6624 cmdline: "C:\Users\ user\AppDa ta\Local\S MTP Proxy\ smtpproxy3 2.exe" -i MD5: 2598C7E5C484719BABF345C062219B1B) 
8D1E.exe (PID: 6100 cmdline: C:\Users\u ser\AppDat a\Local\Te mp\8D1E.ex e MD5: 95F692E61E2200A54BB125789929572D) - csrss.exe (PID: 4216 cmdline:
"C:\Progra mData\Driv ers\csrss. exe" MD5: 24001C12FE58E9B0D169EB051103A0CB)
- jrrihda (PID: 3184 cmdline:
C:\Users\u ser\AppDat a\Roaming\ jrrihda MD5: 7826A4E8CD6E6F117EEF43D8C28C5376)
- 4265.exe (PID: 4112 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\4265.e xe" MD5: A1B5EE1B9649AB629A7AC257E2392F8D) - WerFault.exe (PID: 7052 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 4 112 -s 564 MD5: C31336C1EFC2CCB44B4326EA793040F2)
- svchost.exe (PID: 4516 cmdline:
C:\Windows \System32\ svchost.ex e -k WerSv cGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - WerFault.exe (PID: 4864 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -pss -s 208 -p 22 28 -ip 222 8 MD5: C31336C1EFC2CCB44B4326EA793040F2) - WerFault.exe (PID: 2800 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -pss -s 456 -p 41 12 -ip 411 2 MD5: C31336C1EFC2CCB44B4326EA793040F2) - WerFault.exe (PID: 5672 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -pss -s 596 -p 20 16 -ip 201 6 MD5: C31336C1EFC2CCB44B4326EA793040F2)
- svchost.exe (PID: 5620 cmdline:
C:\Windows \system32\ svchost.ex e -k netsv cs -p -s w lidsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Amadey | Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. | No Attribution |
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Glupteba | Glupteba is a trojan horse malware that is one of the top ten malware variants of 2021. After infecting a system, the Glupteba malware can be used to deliver additional malware, steal user authentication information, and enroll the infected system in a cryptomining botnet. | No Attribution |
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| SmokeLoader | The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body. |
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Stealc | Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. | No Attribution |
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Vidar | Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. | No Attribution |
{"C2 url": "http://185.172.128.145/3cd2b41cbde8fc9c.php"}{"C2 list": ["http://goodfooggooftool.net/index.php", "http://sulugilioiu19.net/index.php", "http://selebration17io.io/index.php", "http://vacantion18ffeu.cc/index.php", "http://valarioulinity1.net/index.php", "http://buriatiarutuhuob.net/index.php", "http://cassiosssionunu.me/index.php"]}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Stealc_1 | Yara detected Stealc | Joe Security | ||
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| MALWARE_Win_DLInjector04 | Detects downloader / injector | ditekSHen |
|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| Windows_Trojan_Smokeloader_3687686f | unknown | unknown |
| |
| JoeSecurity_Stealc | Yara detected Stealc | Joe Security | ||
| JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
| JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | ||
| Windows_Trojan_Smokeloader_4e31426e | unknown | unknown |
| |
| Click to see the 37 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Vidar_1 | Yara detected Vidar stealer | Joe Security | ||
| JoeSecurity_MarsStealer | Yara detected Mars stealer | Joe Security | ||
| JoeSecurity_Vidar_1 | Yara detected Vidar stealer | Joe Security | ||
| JoeSecurity_MarsStealer | Yara detected Mars stealer | Joe Security | ||
| JoeSecurity_Amadey_2 | Yara detected Amadey\'s stealer DLL | Joe Security | ||
| Click to see the 17 entries | ||||
System Summary |   |
|---|
| Source: | Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: | ||
| Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): | ||
| Source: | Author: Max Altgelt (Nextron Systems): | ||
| Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): | ||
| Source: | Author: vburov: | ||
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Avira: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Virustotal: | Perma Link | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Binary or memory string: | memstr_16c02979-b | |
Exploits | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Privilege Escalation | |
|---|
| Source: | Registry value created: | ||
| Source: | Registry value created: | ||
Bitcoin Miner | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Compliance | |
|---|
| Source: | Unpacked PE file: | ||
| Source: | Unpacked PE file: | ||
| Source: | Unpacked PE file: | ||
| Source: | Unpacked PE file: | ||
| Source: | Unpacked PE file: | ||
| Source: | Unpacked PE file: | ||
| Source: | Static PE information: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 25_2_00417CEE | |
| Source: | Code function: | 25_2_03707F55 | |
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
Networking | |
|---|
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | Network traffic detected: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | HTTP traffic detected: | ||