Edit tour
Windows
Analysis Report
Whatsapp-GUI.exe
Overview
General Information
| Sample name: | Whatsapp-GUI.exe |
| Analysis ID: | 1575235 |
| MD5: | 8c3ef2eba970f543f0ebe6dced908402 |
| SHA1: | 431157eaf15244e5d8cc167511b4611f4dfae85c |
| SHA256: | 9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02 |
| Tags: | DarkGateexeuser-smica83 |
| Infos: |   |
 | |
Detection
DarkGate, MailPassView
| Score: | 69 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Compliance
| Score: | 63 |
| Range: | 0 - 100 |
Signatures
Found malware configuration
Yara detected DarkGate
Yara detected MailPassView
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Creates autostart registry keys with suspicious names
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
Whatsapp-GUI.exe (PID: 7316 cmdline: "C:\Users\ user\Deskt op\Whatsap p-GUI.exe" MD5: 8C3EF2EBA970F543F0EBE6DCED908402) 
UpdaterService.exe (PID: 7636 cmdline: "C:\Progra mData\Upda ter\Update rService.e xe" "C:\Pr ogramData\ Updater\Co nfigUpdate r.a3x" MD5: C56B5F0201A3B3DE53E561FE76912BFD) 
cmd.exe (PID: 7684 cmdline: "c:\window s\system32 \cmd.exe" /c wmic Co mputerSyst em get dom ain > C:\P rogramData \bfadeeb\d eddfcf MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7692 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
WMIC.exe (PID: 7732 cmdline: wmic Compu terSystem get domain MD5: E2DE6500DE1148C7F6027AD50AC8B891)
- Autoit3.exe (PID: 8020 cmdline:
"C:\Progra mData\bfad eeb\Autoit 3.exe" C:\ ProgramDat a\bfadeeb\ fhdgaef.a3 x MD5: C56B5F0201A3B3DE53E561FE76912BFD)
- Autoit3.exe (PID: 8092 cmdline:
"C:\Progra mData\bfad eeb\Autoit 3.exe" C:\ ProgramDat a\bfadeeb\ fhdgaef.a3 x MD5: C56B5F0201A3B3DE53E561FE76912BFD)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| DarkGate | First documented in 2018, DarkGate is a commodity loader with features that include the ability to download and execute files to memory, a Hidden Virtual Network Computing (HVNC) module, keylogging, information-stealing capabilities, and privilege escalation. DarkGate makes use of legitimate AutoIt files and typically runs multiple AutoIt scripts. New versions of DarkGate have been advertised on a Russian language eCrime forum since May 2023. | No Attribution |
{"C2 url": "154.216.16.83", "check_ram": false, "crypter_rawstub": "Whatsapp", "crypter_dll": "PyKtS5QCVyLlgyPHS4pCp0F19IXDQAsFsMQc", "crypter_au3": 6, "flag_14": true, "crypto_key": 80, "startup_persistence": true, "flag_32": false, "anti_vm": false, "min_disk": false, "flag_18": 100, "anti_analysis": false, "min_ram": false, "flag_19": 4096, "check_disk": false, "flag_21": false, "flag_23": true, "flag_31": false, "flag_25": "rjacline01395", "flag_26": false, "flag_27": "VyUZUiNl", "flag_28": false, "flag_29": 2, "flag_35": false}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | ||
| JoeSecurity_DarkGate | Yara detected DarkGate | Joe Security | ||
| JoeSecurity_DarkGate | Yara detected DarkGate | Joe Security | ||
| JoeSecurity_DarkGate | Yara detected DarkGate | Joe Security | ||
| JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | ||
| Click to see the 26 entries | ||||
| Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): | ||
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Malware Configuration Extractor: | ||
| Source: | Integrated Neural Analysis Model: | ||
Compliance | |
|---|
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 9_2_008A4005 | |
| Source: | Code function: | 9_2_008AC2FF | |
| Source: | Code function: | 9_2_008A494A | |
| Source: | Code function: | 9_2_008ACD9F | |
| Source: | Code function: | 9_2_008ACD14 | |
| Source: | Code function: | 9_2_008AF5D8 | |
| Source: | Code function: | 9_2_008AF735 | |
| Source: | Code function: | 9_2_008AFA36 | |
| Source: | Code function: | 9_2_008A3CE2 | |
| Source: | Code function: | 9_2_00F1DB65 | |
| Source: | Code function: | 9_2_03BBA584 | |
| Source: | Code function: | 9_2_03B68AFC | |
| Source: | Code function: | 9_2_03B689F4 | |
| Source: | Code function: | 9_2_03BB31F8 | |
| Source: | Code function: | 9_2_03BBBA70 | |
| Source: | Code function: | 9_2_03B65974 | |
| Source: | Code function: | 9_2_03B7BD8C | |
| Source: | Code function: | 9_2_03B93D68 | |
Networking | |
|---|
| Source: | IPs: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | ASN Name: | ||
| Source: | JA3 fingerprint: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | Code function: | 9_2_008B29BA | |
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||