Edit tour
Windows
Analysis Report
fluent.exe
Overview
General Information
| Sample name: | fluent.exe |
| Analysis ID: | 1499273 |
| MD5: | 210e4ac30ab0f880161088551aa8519e |
| SHA1: | fcf6c74a63923d65a73b81f3fe8f013c353ef123 |
| SHA256: | 9fe7ab728b99e57684a89e35bad47100de9d7ad0ad0ca04253ba1d211f584a81 |
| Tags: | exe |
| Infos: |   |
 | |
Detection
DCRat, PureLog Stealer, zgRAT
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected DCRat
Yara detected PureLog Stealer
Yara detected zgRAT
AI detected suspicious sample
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Creates processes via WMI
Drops executables to the windows directory (C:\Windows) and starts them
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file has nameless sections
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: New RUN Key Pointing to Suspicious Folder
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Compiles C# or VB.Net code
Contains functionality to call native functions
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
File is packed with WinRar
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: CurrentVersion NT Autorun Keys Modification
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
fluent.exe (PID: 7408 cmdline: "C:\Users\ user\Deskt op\fluent. exe" MD5: 210E4AC30AB0F880161088551AA8519E) 
wscript.exe (PID: 7500 cmdline: "C:\Window s\System32 \WScript.e xe" "C:\co mReviewint ocommon\TW lWAN2ryscX hu39ZLKnk8 8Wy4VE5T41 kI6bFa9kkk qSh.vbe" MD5: FF00E0480075B095948000BDC66E81F0) 
cmd.exe (PID: 7796 cmdline: C:\Windows \system32\ cmd.exe /c ""C:\comR eviewintoc ommon\YnzA dQrUUt8.ba t" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7804 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
driverSavesNet.exe (PID: 7840 cmdline: "C:\comRev iewintocom mon/driver SavesNet.e xe" MD5: F5C25B9C7F555EE1D53CE4A530C475C8) - schtasks.exe (PID: 7924 cmdline:
schtasks.e xe /create /tn "gNKa MdWfDFzDkh EeKzQg" /s c MINUTE / mo 8 /tr " 'C:\Progra m Files (x 86)\micros oft\Temp\E UC7A5.tmp\ gNKaMdWfDF zDkhEeKzQ. exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 7948 cmdline:
schtasks.e xe /create /tn "gNKa MdWfDFzDkh EeKzQ" /sc ONLOGON / tr "'C:\Pr ogram File s (x86)\mi crosoft\Te mp\EUC7A5. tmp\gNKaMd WfDFzDkhEe KzQ.exe'" /rl HIGHES T /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 7972 cmdline:
schtasks.e xe /create /tn "gNKa MdWfDFzDkh EeKzQg" /s c MINUTE / mo 8 /tr " 'C:\Progra m Files (x 86)\micros oft\Temp\E UC7A5.tmp\ gNKaMdWfDF zDkhEeKzQ. exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - csc.exe (PID: 7988 cmdline:
"C:\Window s\Microsof t.NET\Fram ework64\v4 .0.30319\c sc.exe" /n oconfig /f ullpaths @ "C:\Users\ user\AppDa ta\Local\T emp\jzqyww br\jzqywwb r.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66) - conhost.exe (PID: 7996 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cvtres.exe (PID: 8048 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\cv tres.exe / NOLOGO /RE ADONLY /MA CHINE:IX86 "/OUT:C:\ Users\user \AppData\L ocal\Temp\ RESD287.tm p" "c:\Win dows\Syste m32\CSCBCB DE6D48A2D4 BDA8A90105 531C410CA. TMP" MD5: C877CBB966EA5939AA2A17B6A5160950) - schtasks.exe (PID: 8112 cmdline:
schtasks.e xe /create /tn "gNKa MdWfDFzDkh EeKzQg" /s c MINUTE / mo 10 /tr "'C:\Users \Default\A pplication Data\gNKa MdWfDFzDkh EeKzQ.exe' " /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 8144 cmdline:
schtasks.e xe /create /tn "gNKa MdWfDFzDkh EeKzQ" /sc ONLOGON / tr "'C:\Us ers\Defaul t\Applicat ion Data\g NKaMdWfDFz DkhEeKzQ.e xe'" /rl H IGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 8168 cmdline:
schtasks.e xe /create /tn "gNKa MdWfDFzDkh EeKzQg" /s c MINUTE / mo 7 /tr " 'C:\Users\ Default\Ap plication Data\gNKaM dWfDFzDkhE eKzQ.exe'" /rl HIGHE ST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 7196 cmdline:
schtasks.e xe /create /tn "gNKa MdWfDFzDkh EeKzQg" /s c MINUTE / mo 11 /tr "'C:\Users \Default\R ecent\gNKa MdWfDFzDkh EeKzQ.exe' " /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 1804 cmdline:
schtasks.e xe /create /tn "gNKa MdWfDFzDkh EeKzQ" /sc ONLOGON / tr "'C:\Us ers\Defaul t\Recent\g NKaMdWfDFz DkhEeKzQ.e xe'" /rl H IGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 6108 cmdline:
schtasks.e xe /create /tn "gNKa MdWfDFzDkh EeKzQg" /s c MINUTE / mo 13 /tr "'C:\Users \Default\R ecent\gNKa MdWfDFzDkh EeKzQ.exe' " /rl HIGH EST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 4416 cmdline:
schtasks.e xe /create /tn "gNKa MdWfDFzDkh EeKzQg" /s c MINUTE / mo 13 /tr "'C:\Windo ws\en-GB\g NKaMdWfDFz DkhEeKzQ.e xe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 5016 cmdline:
schtasks.e xe /create /tn "gNKa MdWfDFzDkh EeKzQ" /sc ONLOGON / tr "'C:\Wi ndows\en-G B\gNKaMdWf DFzDkhEeKz Q.exe'" /r l HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 3452 cmdline:
schtasks.e xe /create /tn "gNKa MdWfDFzDkh EeKzQg" /s c MINUTE / mo 14 /tr "'C:\Windo ws\en-GB\g NKaMdWfDFz DkhEeKzQ.e xe'" /rl H IGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 1696 cmdline:
schtasks.e xe /create /tn "gNKa MdWfDFzDkh EeKzQg" /s c MINUTE / mo 14 /tr "'C:\Recov ery\gNKaMd WfDFzDkhEe KzQ.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 7360 cmdline:
schtasks.e xe /create /tn "gNKa MdWfDFzDkh EeKzQ" /sc ONLOGON / tr "'C:\Re covery\gNK aMdWfDFzDk hEeKzQ.exe '" /rl HIG HEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 4480 cmdline:
schtasks.e xe /create /tn "gNKa MdWfDFzDkh EeKzQg" /s c MINUTE / mo 10 /tr "'C:\Recov ery\gNKaMd WfDFzDkhEe KzQ.exe'" /rl HIGHES T /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 3288 cmdline:
schtasks.e xe /create /tn "driv erSavesNet d" /sc MIN UTE /mo 11 /tr "'C:\ comReviewi ntocommon\ driverSave sNet.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 7256 cmdline:
schtasks.e xe /create /tn "driv erSavesNet " /sc ONLO GON /tr "' C:\comRevi ewintocomm on\driverS avesNet.ex e'" /rl HI GHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 7492 cmdline:
schtasks.e xe /create /tn "driv erSavesNet d" /sc MIN UTE /mo 9 /tr "'C:\c omReviewin tocommon\d riverSaves Net.exe'" /rl HIGHES T /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - cmd.exe (PID: 7484 cmdline:
"C:\Window s\System32 \cmd.exe" /C "C:\Use rs\user\Ap pData\Loca l\Temp\RJ4 yfxqn4J.ba t" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7464 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - chcp.com (PID: 7400 cmdline:
chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32) - PING.EXE (PID: 5800 cmdline:
ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D) - gNKaMdWfDFzDkhEeKzQ.exe (PID: 7948 cmdline:
"C:\Window s\en-GB\gN KaMdWfDFzD khEeKzQ.ex e" MD5: F5C25B9C7F555EE1D53CE4A530C475C8)
- gNKaMdWfDFzDkhEeKzQ.exe (PID: 8040 cmdline:
"C:\Progra m Files (x 86)\micros oft\Temp\E UC7A5.tmp\ gNKaMdWfDF zDkhEeKzQ. exe" MD5: F5C25B9C7F555EE1D53CE4A530C475C8)
- gNKaMdWfDFzDkhEeKzQ.exe (PID: 8076 cmdline:
"C:\Progra m Files (x 86)\micros oft\Temp\E UC7A5.tmp\ gNKaMdWfDF zDkhEeKzQ. exe" MD5: F5C25B9C7F555EE1D53CE4A530C475C8)
- driverSavesNet.exe (PID: 5720 cmdline:
C:\comRevi ewintocomm on\driverS avesNet.ex e MD5: F5C25B9C7F555EE1D53CE4A530C475C8)
- driverSavesNet.exe (PID: 1196 cmdline:
C:\comRevi ewintocomm on\driverS avesNet.ex e MD5: F5C25B9C7F555EE1D53CE4A530C475C8)
- gNKaMdWfDFzDkhEeKzQ.exe (PID: 7848 cmdline:
"C:\Recove ry\gNKaMdW fDFzDkhEeK zQ.exe" MD5: F5C25B9C7F555EE1D53CE4A530C475C8)
- driverSavesNet.exe (PID: 7180 cmdline:
"C:\comRev iewintocom mon\driver SavesNet.e xe" MD5: F5C25B9C7F555EE1D53CE4A530C475C8)
- gNKaMdWfDFzDkhEeKzQ.exe (PID: 2128 cmdline:
"C:\Recove ry\gNKaMdW fDFzDkhEeK zQ.exe" MD5: F5C25B9C7F555EE1D53CE4A530C475C8)
- driverSavesNet.exe (PID: 4480 cmdline:
"C:\comRev iewintocom mon\driver SavesNet.e xe" MD5: F5C25B9C7F555EE1D53CE4A530C475C8)
- gNKaMdWfDFzDkhEeKzQ.exe (PID: 7408 cmdline:
"C:\Recove ry\gNKaMdW fDFzDkhEeK zQ.exe" MD5: F5C25B9C7F555EE1D53CE4A530C475C8)
- driverSavesNet.exe (PID: 6524 cmdline:
"C:\comRev iewintocom mon\driver SavesNet.e xe" MD5: F5C25B9C7F555EE1D53CE4A530C475C8)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| DCRat | DCRat is a typical RAT that has been around since at least June 2019. | No Attribution |
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| zgRAT | zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on. | No Attribution |
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_zgRAT_1 | Yara detected zgRAT | Joe Security | ||
| JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_zgRAT_1 | Yara detected zgRAT | Joe Security | ||
| JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
| JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
| JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
| JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
| Click to see the 7 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
| JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
| JoeSecurity_DCRat_1 | Yara detected DCRat | Joe Security | ||
| JoeSecurity_DCRat_1 | Yara detected DCRat | Joe Security | ||
| JoeSecurity_DCRat_1 | Yara detected DCRat | Joe Security | ||
| Click to see the 5 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_zgRAT_1 | Yara detected zgRAT | Joe Security | ||
| JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
| JoeSecurity_zgRAT_1 | Yara detected zgRAT | Joe Security | ||
| JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
| JoeSecurity_zgRAT_1 | Yara detected zgRAT | Joe Security | ||
| Click to see the 5 entries | ||||
System Summary |   |
|---|
| Source: | Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: | ||
| Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): | ||
| Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): | ||
| Source: | Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): | ||
| Source: | Author: Michael Haag: | ||
| Source: | Author: frack113: | ||
Data Obfuscation | |
|---|
| Source: | Author: Joe Security: | ||
| Timestamp: | 2024-08-26T20:16:32.024235+0200 |
| SID: | 2048095 |
| Severity: | 1 |
| Source Port: | 49736 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Avira: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
Spreading | |
|---|
| Source: | System file written: | Jump to behavior | ||
| Source: | Code function: | 0_2_006EA69B | |
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Process created: | ||
| Source: | IP Address: | ||
| Source: | ASN Name: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||