Edit tour
Windows
Analysis Report
BwqqVoHR71.exe
Overview
General Information
Sample name: | BwqqVoHR71.exerenamed because original name is a hash value |
Original sample name: | 0a21a94198f6157abb36bf55cb43be27.exe |
Analysis ID: | 1537033 |
MD5: | 0a21a94198f6157abb36bf55cb43be27 |
SHA1: | 9a01b5e8a68be2b49250c730f8c3ecaee3734170 |
SHA256: | 53fcb9786b102a6ad732878445deb13132324e59487ac841cba4e38bb990bee6 |
Tags: | exeuser-abuse_ch |
Infos: | |
Detection
GO Backdoor
Score: | 72 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected GO Backdoor
AI detected suspicious sample
Allocates memory in foreign processes
Connects to many ports of the same IP (likely port scanning)
Creates an autostart registry key pointing to binary in C:\Windows
Found Tor onion address
Injects a PE file into a foreign processes
Suspicious powershell command line found
Writes to foreign memory regions
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64
- BwqqVoHR71.exe (PID: 8164 cmdline:
"C:\Users\ user\Deskt op\BwqqVoH R71.exe" MD5: 0A21A94198F6157ABB36BF55CB43BE27) - BitLockerToGo.exe (PID: 7660 cmdline:
"C:\Window s\BitLocke rDiscovery VolumeCont ents\BitLo ckerToGo.e xe" MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8) - powershell.exe (PID: 5908 cmdline:
powershell -WindowSt yle hidden -Command "if (-Not (Test-Path \"HKCU:\\ Software\\ Microsoft\ \Windows\\ CurrentVer sion\\Run\ \App\")) { Set-ItemP roperty -P ath \"HKCU :\\Softwar e\\Microso ft\\Window s\\Current Version\\R un\" -Name \"App\" - Value \"C: \Windows\B itLockerDi scoveryVol umeContent s\BitLocke rToGo.exe\ " }" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 5936 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- BitLockerToGo.exe (PID: 3192 cmdline:
"C:\Window s\BitLocke rDiscovery VolumeCont ents\BitLo ckerToGo.e xe" MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)
- cleanup
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_GOBackdoor | Yara detected GO Backdoor | Joe Security | ||
JoeSecurity_GOBackdoor | Yara detected GO Backdoor | Joe Security |
Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): |
Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-10-18T14:10:38.691903+0200 | 2855536 | 1 | A Network Trojan was detected | 192.168.2.10 | 49988 | 109.172.88.38 | 23961 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-10-18T14:11:07.929703+0200 | 2855537 | 1 | A Network Trojan was detected | 192.168.2.10 | 49988 | 109.172.88.38 | 23961 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-10-18T14:11:08.196218+0200 | 2855538 | 1 | A Network Trojan was detected | 109.172.88.38 | 23961 | 192.168.2.10 | 49988 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-10-18T14:10:38.691574+0200 | 2855539 | 1 | A Network Trojan was detected | 109.172.88.38 | 23961 | 192.168.2.10 | 49988 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | ReversingLabs: |
Source: | Integrated Neural Analysis Model: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: |
Networking |
---|
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: |
Source: | TCP traffic: |
Source: | String found in binary or memory: |