Edit tour
Windows
Analysis Report
PO2737478834ORDER.exe
Overview
General Information
| Sample name: | PO2737478834ORDER.exe |
| Analysis ID: | 1445942 |
| MD5: | 6d84fe81c98c02205cc129f68aca4529 |
| SHA1: | cf805bfa98d12c72a2f355cf1743de9ca7b8d12c |
| SHA256: | 987da2feba47f44c619720682eb25199eb13aa4dddd5759c37fa943c569d30be |
| Tags: | exe |
| Infos: |   |
 | |
Detection
AveMaria, GuLoader, PrivateLoader
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected AveMaria stealer
Yara detected GuLoader
Yara detected PrivateLoader
AI detected suspicious sample
Contains functionality to hide user accounts
Found suspicious powershell code related to unpacking or dynamic code loading
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Initial sample is a PE file and has a suspicious name
Obfuscated command line found
Powershell drops PE file
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Potential Dosfuscation Activity
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64
PO2737478834ORDER.exe (PID: 7752 cmdline:
"C:\Users\ user\Deskt op\PO27374 78834ORDER .exe" MD5: 6D84FE81C98C02205CC129F68ACA4529) 
powershell.exe (PID: 7852 cmdline: "powershel l.exe" -wi ndowstyle hidden "$A kteret=Get -Content ' C:\Users\u ser\AppDat a\Roaming\ Grydeskeen 146\sdfdsf \Kejsertan kens\Habit ters.Hej'; $Engraphy= $Akteret.S ubString(5 4172,3);.$ Engraphy($ Akteret)" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) 
conhost.exe (PID: 7860 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 7988 cmdline:
"C:\Window s\system32 \cmd.exe" "/c set /A 1^^0" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) "C:\Progra m Files (x 86)\window s mail\wab .exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Ave Maria, AveMariaRAT, avemaria | Information stealer which uses AutoIT for wrapping. |
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| CloudEyE, GuLoader | CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. | No Attribution |
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| PrivateLoader | According to sekoia, PrivateLoader is a modular malware whose main capability is to download and execute one or several payloads. The loader implements anti-analysis techniques, fingerprints the compromised host and reports statistics to its C2 server. | No Attribution |
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_AveMaria | Yara detected AveMaria stealer | Joe Security | ||
| Windows_Trojan_AveMaria_31d2bce9 | unknown | unknown |
| |
| JoeSecurity_PrivateLoader | Yara detected PrivateLoader | Joe Security | ||
| JoeSecurity_GuLoader_2 | Yara detected GuLoader | Joe Security | ||
| Click to see the 2 entries | ||||
System Summary |   |
|---|
| Source: | Author: frack113, Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: frack113, Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: frack113: | ||
| Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): | ||
| Timestamp: | 05/22/24-20:08:53.293761 |
| SID: | 2852347 |
| Source Port: | 56372 |
| Destination Port: | 78 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 05/22/24-20:08:53.598499 |
| SID: | 2852350 |
| Source Port: | 78 |
| Destination Port: | 56372 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 05/22/24-20:08:53.874038 |
| SID: | 2852354 |
| Source Port: | 78 |
| Destination Port: | 56372 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 05/22/24-20:08:53.600199 |
| SID: | 2852355 |
| Source Port: | 56372 |
| Destination Port: | 78 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 05/22/24-20:08:53.600199 |
| SID: | 2839089 |
| Source Port: | 56372 |
| Destination Port: | 78 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 05/22/24-20:08:53.600199 |
| SID: | 2852352 |
| Source Port: | 56372 |
| Destination Port: | 78 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 05/22/24-20:08:53.222242 |
| SID: | 2852346 |
| Source Port: | 78 |
| Destination Port: | 56372 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | URL Reputation: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | File source: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Static PE information: | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||