Edit tour
Windows
Analysis Report
T2dvU8f2xg.exe
Overview
General Information
Sample name: | T2dvU8f2xg.exerenamed because original name is a hash value |
Original sample name: | aff26ef08f47b7543f4f84e5fd6d378d950f9b7d99a2397e3e56fb064db0efe2.exe |
Analysis ID: | 1577424 |
MD5: | e94178c1c416647220889ffd3bdecfb5 |
SHA1: | 2b14a3564d79362ba2bdfce85fca4c4b595531bd |
SHA256: | aff26ef08f47b7543f4f84e5fd6d378d950f9b7d99a2397e3e56fb064db0efe2 |
Tags: | 107-148-62-100exeuser-JAMESWT_MHT |
Infos: | |
Detection
Score: | 88 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
AI detected suspicious sample
Contains VNC / remote desktop functionality (version string found)
Contains functionality to steal Chrome passwords or cookies
Machine Learning detection for sample
PE file has nameless sections
Potentially malicious time measurement code found
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Binary contains a suspicious time stamp
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to retrieve information about pressed keystrokes
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains more sections than normal
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries keyboard layouts
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara detected Keylogger Generic
Yara signature match
Classification
- System is w10x64
- T2dvU8f2xg.exe (PID: 7852 cmdline:
"C:\Users\ user\Deskt op\T2dvU8f 2xg.exe" MD5: E94178C1C416647220889FFD3BDECFB5) - MobServe.exe (PID: 4620 cmdline:
"C:\Users\ user\AppDa ta\Roaming \MyHiddenA ppDataDir\ MobServe.e xe" MD5: 074ED5F745FD9A2EF6F29FD2D9AFB07A) - XWin_MobaX.exe (PID: 3800 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\Mxt242 \bin\XWin_ MobaX.exe" -silent-d up-error - notrayicon -nolisten inet6 -ho stintitle +bs -clipb oard -nowg l -multiwi ndow -nore set :0 MD5: 6F1143FB1F02C715CBEF79C271A7E4B6) - xkbcomp_w32.exe (PID: 6808 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\Mxt242 \bin\xkbco mp_w32.exe " -w 1 "-R C:\Users\u ser\AppDat a\Local\Te mp\Mxt242\ usr\share\ X11\xkb" - xkm "C:\Us ers\user\A ppData\Loc al\Temp\Mx t242\var\l og\xwin\xk b_a06188" -em1 "The XKEYBOARD keymap com piler (xkb comp) repo rts:" -emp "> " -eml "Errors f rom xkbcom p are not fatal to t he X serve r" "C:\Use rs\user\Ap pData\Loca l\Temp\Mxt 242\var\lo g\xwin\ser ver-0.xkm" MD5: B2B22157777ED19C9F1369E2D45C1510) - conhost.exe (PID: 7612 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - xkbcomp_w32.exe (PID: 2996 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\Mxt242 \bin\xkbco mp_w32.exe " -w 1 "-R C:\Users\u ser\AppDat a\Local\Te mp\Mxt242\ usr\share\ X11\xkb" - xkm "C:\Us ers\user\A ppData\Loc al\Temp\Mx t242\var\l og\xwin\xk b_a06188" -em1 "The XKEYBOARD keymap com piler (xkb comp) repo rts:" -emp "> " -eml "Errors f rom xkbcom p are not fatal to t he X serve r" "C:\Use rs\user\Ap pData\Loca l\Temp\Mxt 242\var\lo g\xwin\ser ver-0.xkm" MD5: B2B22157777ED19C9F1369E2D45C1510) - conhost.exe (PID: 2372 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- MobServe.exe (PID: 2672 cmdline:
C:\Users\u ser\AppDat a\Roaming\ MyHiddenAp pDataDir\M obServe.ex e MD5: 074ED5F745FD9A2EF6F29FD2D9AFB07A)
- cleanup
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
OlympicDestroyer_1 | OlympicDestroyer Payload | kevoreilly |
| |
INDICATOR_EXE_Packed_Enigma | Detects executables packed with Enigma | ditekSHen |
| |
INDICATOR_EXE_Packed_Loader | Detects packed executables observed in Molerats | ditekSHen |
| |
Click to see the 1 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
OlympicDestroyer_1 | OlympicDestroyer Payload | kevoreilly |
| |
OlympicDestroyer_1 | OlympicDestroyer Payload | kevoreilly |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
INDICATOR_EXE_Packed_Enigma | Detects executables packed with Enigma | ditekSHen |
| |
INDICATOR_EXE_Packed_Enigma | Detects executables packed with Enigma | ditekSHen |
| |
JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
INDICATOR_EXE_Packed_Enigma | Detects executables packed with Enigma | ditekSHen |
| |
INDICATOR_EXE_Packed_Enigma | Detects executables packed with Enigma | ditekSHen |
| |
OlympicDestroyer_1 | OlympicDestroyer Payload | kevoreilly |
| |
OlympicDestroyer_1 | OlympicDestroyer Payload | kevoreilly |
| |
OlympicDestroyer_1 | OlympicDestroyer Payload | kevoreilly |
| |
Click to see the 6 entries |
⊘No Sigma rule has matched
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-12-18T13:20:46.914092+0100 | 2803305 | 3 | Unknown Traffic | 192.168.2.10 | 49833 | 107.148.62.100 | 8084 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: |
Source: | Code function: | 0_2_1004B352 | |
Source: | Code function: | 0_2_1008B3D0 | |
Source: | Code function: | 0_2_1008B6C0 | |
Source: | Code function: | 0_2_100899C0 | |
Source: | Code function: | 0_2_1008AE30 | |
Source: | Code function: | 0_2_10273E80 | |
Source: | Code function: | 0_2_1008AFE0 |
Source: | File created: | Jump to behavior |
Source: | HTTPS traffic detected: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | 0_2_1000A4F0 |
Networking |
---|
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | TCP traffic: | ||
Source: | TCP traffic: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |