Edit tour
Windows
Analysis Report
SecuriteInfo.com.Trojan.PackedNET.2334.3801.19434.exe
Overview
General Information
Detection
PureLog Stealer, Raccoon Stealer v2, SmokeLoader
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Benign windows process drops PE files
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected PureLog Stealer
Yara detected Raccoon Stealer v2
Yara detected SmokeLoader
.NET source code contains potential unpacker
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates a thread in another existing process (thread injection)
Found evasive API chain (may stop execution after checking mutex)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Switches to a custom stack to bypass stack traces
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to record screenshots
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64
- SecuriteInfo.com.Trojan.PackedNET.2334.3801.19434.exe (PID: 3808 cmdline:
"C:\Users\ user\Deskt op\Securit eInfo.com. Trojan.Pac kedNET.233 4.3801.194 34.exe" MD5: 6A7681530B7CD49A24F0E12F609F0635) - RegAsm.exe (PID: 6352 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\RegA sm.exe MD5: 0D5DF43AF2916F47D00C1573797C1A13) - RegAsm.exe (PID: 5412 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\RegA sm.exe MD5: 0D5DF43AF2916F47D00C1573797C1A13) - nUt0u1Qn.exe (PID: 2260 cmdline:
"C:\Users\ user\AppDa ta\Roaming \nUt0u1Qn. exe" MD5: E3DC222D0A34C4B230F538A67BB7265D) - RegAsm.exe (PID: 5368 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\RegA sm.exe MD5: 0D5DF43AF2916F47D00C1573797C1A13) - explorer.exe (PID: 4056 cmdline:
C:\Windows \Explorer. EXE MD5: 662F4F92FDE3557E86D110526BB578D5) - SOCKET5.exe (PID: 6724 cmdline:
"C:\Users\ user\AppDa ta\Roaming \SOCKET5.e xe" MD5: E3DC222D0A34C4B230F538A67BB7265D) - RegAsm.exe (PID: 6352 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\RegA sm.exe MD5: 0D5DF43AF2916F47D00C1573797C1A13) - SOCKET5.exe (PID: 4564 cmdline:
"C:\Users\ user\AppDa ta\Roaming \SOCKET5.e xe" MD5: E3DC222D0A34C4B230F538A67BB7265D) - RegAsm.exe (PID: 3580 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\RegA sm.exe MD5: 0D5DF43AF2916F47D00C1573797C1A13)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
SmokeLoader | The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body. |
{"C2 url": ["http://193.142.147.59:80"], "Bot ID": "071a7b18a42c1cd94de2fc5bb0bbcaf2", "XOR key": "071a7b18a42c1cd94de2fc5bb0bbcaf2"}
{"Version": 2022, "C2 list": ["http://glueberry-og.cc/", "http://glueberry-og.co/", "http://glueberry-og.to/"]}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_RaccoonV2 | Yara detected Raccoon Stealer v2 | Joe Security | ||
JoeSecurity_RaccoonV2_1 | Yara detected Raccoon Stealer v2 | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
JoeSecurity_RaccoonV2 | Yara detected Raccoon Stealer v2 | Joe Security | ||
Click to see the 47 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
JoeSecurity_SmokeLoader | Yara detected SmokeLoader | Joe Security | ||
JoeSecurity_SmokeLoader | Yara detected SmokeLoader | Joe Security | ||
JoeSecurity_SmokeLoader | Yara detected SmokeLoader | Joe Security | ||
JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
Click to see the 16 entries |
System Summary |
---|
Source: | Author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems): |
Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): |
Timestamp: | 07/21/24-11:25:38.461722 |
SID: | 2036934 |
Source Port: | 49704 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 07/21/24-11:25:39.140054 |
SID: | 2036955 |
Source Port: | 80 |
Destination Port: | 49704 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-07-21T11:25:39.152197+0200 |
SID: | 2036955 |
Source Port: | 80 |
Destination Port: | 49704 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-07-21T11:26:16.523750+0200 |
SID: | 2025993 |
Source Port: | 49713 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Malware Command and Control Activity Detected |
Timestamp: | 2024-07-21T11:25:39.140137+0200 |
SID: | 2036934 |
Source Port: | 49704 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-07-21T11:25:44.859035+0200 |
SID: | 2854151 |
Source Port: | 49704 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira: |
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: |
Source: | Avira: | ||
Source: | Avira: |
Source: | Malware Configuration Extractor: | ||
Source: | Malware Configuration Extractor: |
Source: | Virustotal: | Perma Link |
Source: | ReversingLabs: | ||
Source: | ReversingLabs: |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: |
Source: | Joe Sandbox ML: |
Source: | Code function: | 4_2_00403A6C | |
Source: | Code function: | 4_2_004035B2 | |
Source: | Code function: | 4_2_00403FB8 | |
Source: | Code function: | 4_2_004025C2 | |
Source: | Code function: | 4_2_0040254C | |
Source: | Code function: | 4_2_00407553 |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | 4_2_00406CC5 | |
Source: | Code function: | 4_2_00404F4A | |
Source: | Code function: | 4_2_0040F04B | |
Source: | Code function: | 4_2_004108CA | |
Source: | Code function: |