Edit tour
Windows
Analysis Report
9RM52QaURq.exe
Overview
General Information
| Sample name: | 9RM52QaURq.exerenamed because original name is a hash value |
| Original sample name: | ca53439dbc9699e109a1810227c124dadca4066758511727be95e57b8ce3bc0f.exe |
| Analysis ID: | 1556367 |
| MD5: | 9913a016528f9d9c4aac737c6a06c596 |
| SHA1: | 197435ebdeab5f6df6e10d1c5aec40812cb9dfdf |
| SHA256: | ca53439dbc9699e109a1810227c124dadca4066758511727be95e57b8ce3bc0f |
| Tags: | 45-130-145-152exeuser-JAMESWT_MHT |
| Infos: |   |
 | |
Detection
CredGrabber, Meduza Stealer
| Score: | 93 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected CredGrabber
Yara detected Meduza Stealer
AI detected suspicious sample
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Loading BitLocker PowerShell Module
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suspicious powershell command line found
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query locales information (e.g. system language)
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain checking for process token information
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Queries time zone information
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Execution of Powershell with Base64
Suricata IDS alerts with low severity for network traffic
Terminates after testing mutex exists (may check infected machine status)
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Classification
- System is w10x64
9RM52QaURq.exe (PID: 7148 cmdline: "C:\Users\ user\Deskt op\9RM52Qa URq.exe" MD5: 9913A016528F9D9C4AAC737C6A06C596) 
powershell.exe (PID: 3164 cmdline: "powershel l.exe" -No Profile -W indowStyle Hidden -E ncodedComm and QQBkAG QALQBNAHAA UAByAGUAZg BlAHIAZQBu AGMAZQAgAC 0ARQB4AGMA bAB1AHMAaQ BvAG4AUABh AHQAaAAgAC cAQwA6AFwA VQBzAGUAcg BzAFwAagBv AG4AZQBzAF wAQQBwAHAA RABhAHQAYQ BcAEwAbwBj AGEAbABcAF QAZQBtAHAA XAAzADgASA BzAHEAdwBI AGwAYgBHAF wAMwBVAHUA eABUAEgANg BGAE0AWAAu AGUAeABlAC cA MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) 
conhost.exe (PID: 8 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
WmiPrvSE.exe (PID: 2640 cmdline: C:\Windows \system32\ wbem\wmipr vse.exe -s ecured -Em bedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51) - 3UuxTH6FMX.exe (PID: 3760 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\38Hsqw HlbG\3UuxT H6FMX.exe" MD5: 183E24B654414D7BE786CCD8E6A108A5)
- cleanup
{"C2 url": "45.130.145.152", "grabber_max_size": 4194304, "anti_vm": true, "anti_dbg": true, "self_destruct": false, "extensions": ".txt;.doc;.docx;.pdf;.xls;.xlsx;.log;.db;.sqlite", "build_name": "Work", "links": "", "port": 15666}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_MeduzaStealer | Yara detected Meduza Stealer | Joe Security | ||
| JoeSecurity_MeduzaStealer | Yara detected Meduza Stealer | Joe Security | ||
| JoeSecurity_MeduzaStealer | Yara detected Meduza Stealer | Joe Security | ||
| JoeSecurity_CredGrabber | Yara detected CredGrabber | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_MeduzaStealer | Yara detected Meduza Stealer | Joe Security | ||
| JoeSecurity_MeduzaStealer | Yara detected Meduza Stealer | Joe Security |
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: frack113: | ||
| Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): | ||
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-15T10:28:51.927747+0100 | 2049441 | 1 | A Network Trojan was detected | 192.168.2.4 | 53976 | 45.130.145.152 | 15666 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-15T10:28:51.927747+0100 | 2050806 | 1 | A Network Trojan was detected | 192.168.2.4 | 53976 | 45.130.145.152 | 15666 | TCP |
| 2024-11-15T10:28:51.932774+0100 | 2050806 | 1 | A Network Trojan was detected | 192.168.2.4 | 53976 | 45.130.145.152 | 15666 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-15T10:28:51.927747+0100 | 2050807 | 1 | A Network Trojan was detected | 192.168.2.4 | 53976 | 45.130.145.152 | 15666 | TCP |
| 2024-11-15T10:28:51.932774+0100 | 2050807 | 1 | A Network Trojan was detected | 192.168.2.4 | 53976 | 45.130.145.152 | 15666 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Malware Configuration Extractor: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Code function: | 8_2_00000218BFBC1EA0 | |
| Source: | Code function: | 8_2_00000218BFB85EE0 | |
| Source: | Code function: | 8_2_00000218BFBC21C0 | |
| Source: | Code function: | 8_2_00000218BFC22090 | |
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 8_2_00000218BFC098C0 | |
| Source: | Code function: | 8_2_00000218BFC09810 | |
| Source: | Code function: | 8_2_00000218BFBD13B0 | |
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Code function: | 0_2_07352978 | |
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | TCP traffic: | ||
| Source: | HTTP traffic detected: | ||