Edit tour
Windows
Analysis Report
cPl7CoJTBx.exe
Overview
General Information
| Sample name: | cPl7CoJTBx.exerenamed because original name is a hash value |
| Original sample name: | 32554d2f5dcd9927b21b43dda85359c2.exe |
| Analysis ID: | 1533849 |
| MD5: | 32554d2f5dcd9927b21b43dda85359c2 |
| SHA1: | cfc29320a821c84661de03ef07f96d6e0f9a707a |
| SHA256: | e68f4ed80cc5d1c699653e106b4f36693dc45c0e571b9a71a1f010b1516a2271 |
| Tags: | exeuser-abuse_ch |
| Infos: |   |
 | |
Detection
Luna Grabber, Luna Logger
| Score: | 92 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Yara detected Luna Grabber
Yara detected Luna Logger
AI detected suspicious sample
Tries to harvest and steal WLAN passwords
Uses netsh to modify the Windows network and firewall settings
Binary contains a suspicious time stamp
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to detect if online games are installed (MineCraft, World Of Warcraft etc)
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Classification
- System is w10x64
cPl7CoJTBx.exe (PID: 5972 cmdline: "C:\Users\ user\Deskt op\cPl7CoJ TBx.exe" MD5: 32554D2F5DCD9927B21B43DDA85359C2) - cPl7CoJTBx.exe (PID: 6784 cmdline:
"C:\Users\ user\Deskt op\cPl7CoJ TBx.exe" MD5: 32554D2F5DCD9927B21B43DDA85359C2) 
cmd.exe (PID: 4440 cmdline: C:\Windows \system32\ cmd.exe /c "netsh wl an show pr ofiles" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 4268 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - netsh.exe (PID: 5340 cmdline:
netsh wlan show prof iles MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LunaGrabber | Yara detected Luna Grabber | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_LunaLogger | Yara detected Luna Logger | Joe Security |
Stealing of Sensitive Information |   |
|---|
| Source: | Author: Joe Security: | ||
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Avira: | ||
| Source: | ReversingLabs: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Code function: | 2_2_00007FF8A82CCD30 | |
| Source: | Code function: | 2_2_00007FF8A82C4930 | |
| Source: | Code function: | 2_2_00007FF8A82FE920 | |
| Source: | Code function: | 2_2_00007FF8A82B1EE2 | |
| Source: | Code function: | 2_2_00007FF8A82B139D | |
| Source: | Code function: | 2_2_00007FF8A82B2185 | |
| Source: | Code function: | 2_2_00007FF8A82B1893 | |
| Source: | Code function: | 2_2_00007FF8A82B204F | |
| Source: | Code function: | 2_2_00007FF8A82C4990 | |
| Source: | Code function: | 2_2_00007FF8A82B24EB | |
| Source: | Code function: | 2_2_00007FF8A83089F0 | |
| Source: | Code function: | 2_2_00007FF8A82B17DF | |
| Source: | Code function: | 2_2_00007FF8A82B114F | |
| Source: | Code function: | 2_2_00007FF8A82B1A05 | |
| Source: | Code function: | 2_2_00007FF8A82B1492 | |
| Source: | Code function: | 2_2_00007FF8A82F2A50 | |
| Source: | Code function: | 2_2_00007FF8A82B4B30 | |
| Source: | Code function: | 2_2_00007FF8A82B1460 | |
| Source: | Code function: | 2_2_00007FF8A82C6B20 | |
| Source: | Code function: | 2_2_00007FF8A82DEB10 | |
| Source: | Code function: | 2_2_00007FF8A82B1A0F | |
| Source: | Code function: | 2_2_00007FF8A82CEB48 | |
| Source: | Code function: | 2_2_00007FF8A82B1AB4 | |
| Source: | Code function: | 2_2_00007FF8A8314C40 | |
| Source: | Code function: | 2_2_00007FF8A82FEC10 | |
| Source: | Code function: | 2_2_00007FF8A82B4C00 | |
| Source: | Code function: | 2_2_00007FF8A82FEC70 | |
| Source: | Code function: | 2_2_00007FF8A82B257C | |
| Source: | Code function: | 2_2_00007FF8A82B22D9 | |
| Source: | Code function: | 2_2_00007FF8A82F8C80 | |
| Source: | Code function: | 2_2_00007FF8A8308CA0 | |
| Source: | Code function: | 2_2_00007FF8A82B136B | |
| Source: | Code function: | 2_2_00007FF8A82B1CBC | |
| Source: | Code function: | 2_2_00007FF8A82F8D40 | |
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||