Edit tour
Windows
Analysis Report
Xyq6rvzLJs.exe
Overview
General Information
| Sample name: | Xyq6rvzLJs.exerenamed because original name is a hash value |
| Original sample name: | 3aab068d8c443560d02e4b58cf05e8f1b6d70f93.exe |
| Analysis ID: | 1552937 |
| MD5: | 5ec3267acfd4ef36cbfb796016142892 |
| SHA1: | 3aab068d8c443560d02e4b58cf05e8f1b6d70f93 |
| SHA256: | 64b1f050cbe98f8ecdc56cf7fb3a2a96fdeb3d5bad2053db36ba12a5fe5e92bb |
| Tags: | exesilverratuser-NDA0E |
| Infos: |   |
 | |
Detection
SilverRat
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected SilverRat
.NET source code contains potential unpacker
AI detected suspicious sample
Connects to many ports of the same IP (likely port scanning)
Contains functionality to log keystrokes (.Net Source)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
Xyq6rvzLJs.exe (PID: 2764 cmdline: "C:\Users\ user\Deskt op\Xyq6rvz LJs.exe" MD5: 5EC3267ACFD4EF36CBFB796016142892) - attrib.exe (PID: 1436 cmdline:
"C:\Window s\System32 \attrib.ex e" +s +h " C:\Users\u ser\AppDat a\Roaming\ EA" MD5: 5037D8E6670EF1D89FB6AD435F12A9FD) 
conhost.exe (PID: 6640 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - attrib.exe (PID: 7092 cmdline:
"C:\Window s\System32 \attrib.ex e" +s +h " C:\Users\u ser\AppDat a\Roaming\ EA\$77EAAn tiCheat.In stalller.e xe" MD5: 5037D8E6670EF1D89FB6AD435F12A9FD) - conhost.exe (PID: 5988 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 6360 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\User s\user\App Data\Local \Temp\tmpF 224.tmp.ba t"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 2968 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - timeout.exe (PID: 4796 cmdline:
timeout 3 MD5: 100065E21CFBBDE57CBA2838921F84D6) - $77EAAntiCheat.Installler.exe (PID: 2884 cmdline:
"C:\Users\ user\AppDa ta\Roaming \EA\$77EAA ntiCheat.I nstalller. exe" MD5: 5EC3267ACFD4EF36CBFB796016142892) - schtasks.exe (PID: 5564 cmdline:
"schtasks. exe" /quer y /TN $77E AAntiCheat .Installle r.exe MD5: 76CD6626DD8834BD4A42E6A565104DC2) - conhost.exe (PID: 2944 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 4068 cmdline:
"schtasks. exe" /Crea te /SC ONC E /TN "$77 EAAntiChea t.Installl er.exe" /T R "C:\User s\user\App Data\Roami ng\EA\$77E AAntiCheat .Installle r.exe \"\$ 77EAAntiCh eat.Instal ller.exe\" /AsAdmin" /ST 00:01 /IT /F /R L HIGHEST MD5: 76CD6626DD8834BD4A42E6A565104DC2) - conhost.exe (PID: 1776 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 1096 cmdline:
"schtasks. exe" /quer y /TN $77E AAntiCheat .Installle r.exe MD5: 76CD6626DD8834BD4A42E6A565104DC2) - conhost.exe (PID: 6648 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
powershell.exe (PID: 7092 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" Set-MpPref erence -Ex clusionExt ension exe ,bat,dll,p s1;exit MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 6200 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
WmiPrvSE.exe (PID: 432 cmdline: C:\Windows \system32\ wbem\wmipr vse.exe -s ecured -Em bedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51) - schtasks.exe (PID: 7060 cmdline:
"C:\Window s\System32 \schtasks. exe" /crea te /sc dai ly /tn "EA AntiCheat. Installler _Task-DAIL Y-21PM" /T R "%MyFile %" /ST 21: 00 MD5: 76CD6626DD8834BD4A42E6A565104DC2) - conhost.exe (PID: 1272 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- $77EAAntiCheat.Installler.exe (PID: 6104 cmdline:
C:\Users\u ser\AppDat a\Roaming\ EA\$77EAAn tiCheat.In stalller.e xe "\$77EA AntiCheat. Installler .exe" /AsA dmin MD5: 5EC3267ACFD4EF36CBFB796016142892)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_SilverRat | Yara detected SilverRat | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_SilverRat | Yara detected SilverRat | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_SilverRat | Yara detected SilverRat | Joe Security | ||
| JoeSecurity_SilverRat | Yara detected SilverRat | Joe Security | ||
| JoeSecurity_SilverRat | Yara detected SilverRat | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_SilverRat | Yara detected SilverRat | Joe Security | ||
| JoeSecurity_SilverRat | Yara detected SilverRat | Joe Security | ||
| JoeSecurity_SilverRat | Yara detected SilverRat | Joe Security |
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): | ||
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-09T22:53:22.851817+0100 | 2022930 | 1 | A Network Trojan was detected | 20.109.210.53 | 443 | 192.168.2.5 | 49710 | TCP |
| 2024-11-09T22:54:01.184035+0100 | 2022930 | 1 | A Network Trojan was detected | 20.109.210.53 | 443 | 192.168.2.5 | 49942 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
Networking | |
|---|
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | HTTP traffic detected: | ||
| Source: | IP Address: | ||
| Source: | ASN Name: | ||
| Source: | JA3 fingerprint: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
Key, Mouse, Clipboard, Microphone and Screen Capturing | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | .Net Code: | ||
| Source: | .Net Code: | ||
| Source: | Code function: | 0_2_00007FF848E97E09 | |
| Source: | Code function: | 0_2_00007FF848E960C2 | |
| Source: | Code function: | 0_2_00007FF848E95316 | |
| Source: | Code function: | 12_2_00007FF848E760C2 | |
| Source: | Code function: | 12_2_00007FF848E75316 | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Cryptographic APIs: | ||
| Source: | Cryptographic APIs: | ||
| Source: | Task registration methods: | ||
| Source: | Task registration methods: | ||
| Source: | Base64 encoded string: | ||