Loading... Additional Content is being loaded
Windows
Analysis Report
K59gVXTgGv.exe
Overview
General Information
| Sample name: | K59gVXTgGv.exerenamed because original name is a hash value |
| Original sample name: | b7ca45674c6b8a24a6a71315e0e51397.exe |
| Analysis ID: | 1465048 |
| MD5: | b7ca45674c6b8a24a6a71315e0e51397 |
| SHA1: | 79516b1bd2227f08ff333b950dafb29707916828 |
| SHA256: | 63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb |
| Tags: | 32exetrojan |
| Infos: |   |
 |
|
Detection
AsyncRAT, DarkTortilla, Njrat, StormKitty
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected DarkTortilla Crypter
Yara detected Njrat
Yara detected StormKitty Stealer
Yara detected Telegram RAT
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to capture screen (.Net source)
Contains functionality to log keystrokes (.Net Source)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries Google from non browser process on port 80
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the program root directory (C:\Program Files)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match
Classification
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| AsyncRAT | AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques. | No Attribution |
|
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| DarkTortilla | DarkTortilla is a complex and highly configurable .NET-based crypter that has possibly been active since at least August 2015. It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine. While it appears to primarily deliver commodity malware, Secureworks Counter Threat Unit (CTU) researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. It can also deliver "addon packages" such as additional malicious payloads, benign decoy documents, and executables. It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.From January 2021 through May 2022, an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. Code similarities suggest possible links between DarkTortilla and other malware: a crypter operated by the RATs Crew threat group, which was active between 2008 and 2012, and the Gameloader malware that emerged in 2021. | No Attribution |
|
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| NjRAT | RedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored. |
|
|
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Cameleon, StormKitty | PWC describes this malware as a backdoor, capable of file management, upload and download of files, and execution of commands. | No Attribution |
|
AV Detection |
  |
|---|
| Source: |
Avira: |
||
| Source: |
Avira: |
||
| Source: |
Malware Configuration Extractor: |
||
| Source: |
Malware Configuration Extractor: | ||