Edit tour
Windows
Analysis Report
#U4fdd#U62a4#U795e1.exe
Overview
General Information
Sample name: | #U4fdd#U62a4#U795e1.exerenamed because original name is a hash value |
Original sample name: | 1.exe |
Analysis ID: | 1559170 |
MD5: | f5b663e9aa9555b45bd9e88221083781 |
SHA1: | 3df73ded0310c3e70ce430118ced5073f75e0cc1 |
SHA256: | 2db7d9e24396db62672a83f5245a154a8b58d2099554aaa93ad2dcef1f18c513 |
Tags: | exeopendiruser-Joker |
Infos: | |
Detection
Score: | 92 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Contains functionality to detect sleep reduction / modifications
Detected VMProtect packer
Machine Learning detection for dropped file
Machine Learning detection for sample
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file has a writeable .text section
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Contains functionality for read data from the clipboard
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates processes with suspicious names
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Entry point lies outside standard sections
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
May check if the current machine is a sandbox (GetTickCount - Sleep)
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
- #U4fdd#U62a4#U795e1.exe (PID: 6648 cmdline:
"C:\Users\ user\Deskt op\#U4fdd# U62a4#U795 e1.exe" MD5: F5B663E9AA9555B45BD9E88221083781) - 16.exe (PID: 6340 cmdline:
C:\Users\u ser\Deskto p\ 16.e xe MD5: 72AA0DBF54D8C3A47D3C3AA1BD875E1D) - update.exe (PID: 5272 cmdline:
update.exe 1.2 16.exe htt p://38.6.1 75.25:901/ down http: //38.6.175 .25:901 MD5: CA57BDFF74665A2A42A8CF4AD4593D9F)
- #U4fdd#U62a4#U795e1.exe (PID: 5608 cmdline:
"C:\Users\ user\Deskt op\#U4fdd# U62a4#U795 e1.exe" MD5: F5B663E9AA9555B45BD9E88221083781)
- cleanup
⊘No configs have been found
⊘No yara matches
System Summary |
---|
Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-11-20T09:14:45.429724+0100 | 2803304 | 3 | Unknown Traffic | 192.168.2.11 | 49702 | 42.193.100.57 | 80 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | ReversingLabs: | ||
Source: | ReversingLabs: |
Source: | ReversingLabs: |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | Code function: | 0_2_004801E0 | |
Source: | Code function: | 0_2_004927A8 | |
Source: | Code function: | 0_2_00423610 | |
Source: | Code function: | 0_2_0041B240 | |
Source: | Code function: | 0_2_00411EF0 | |
Source: | Code function: | 3_2_004801E0 | |
Source: | Code function: | 3_2_004927A8 | |
Source: | Code function: | 3_2_00423610 | |
Source: | Code function: | 3_2_0041B240 | |
Source: | Code function: | 3_2_00411EF0 | |
Source: | Code function: | 7_2_004929E2 | |
Source: | Code function: | 7_2_00438DA0 | |
Source: | Code function: | 7_2_0043BF10 | |
Source: | Code function: | 7_2_0042FF90 |
Source: | Code function: | 0_2_0041F502 | |
Source: | Code function: | 3_2_0041F502 |
Source: | TCP traffic: |
Source: | HTTP traffic detected: |