Edit tour
Windows
Analysis Report
WTvNL75dCr.exe
Overview
General Information
| Sample name: | WTvNL75dCr.exerenamed because original name is a hash value |
| Original sample name: | 94b19d2d17eeb9168cb11f97d532ee65962f70a2c1249f3abfc8625c8c3193f8.exe |
| Analysis ID: | 1578193 |
| MD5: | 41d0bfe78163967efad3c207926add4b |
| SHA1: | c9bc16bc1e3a6ec027a83b1efa0fc4c4a6234bf3 |
| SHA256: | 94b19d2d17eeb9168cb11f97d532ee65962f70a2c1249f3abfc8625c8c3193f8 |
| Tags: | exeuser-JAMESWT_MHT |
| Infos: |  |
 | |
Detection
Python BackDoor
| Score: | 60 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Yara detected Python BackDoor
AI detected suspicious sample
Opens network shares
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Binary contains a suspicious time stamp
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found potential string decryption / allocating functions
IP address seen in connection with other malware
One or more processes crash
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file does not import any functions
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Classification
- System is w10x64
WTvNL75dCr.exe (PID: 6552 cmdline: "C:\Users\ user\Deskt op\WTvNL75 dCr.exe" MD5: 41D0BFE78163967EFAD3C207926ADD4B) - WTvNL75dCr.exe (PID: 5364 cmdline:
"C:\Users\ user\Deskt op\WTvNL75 dCr.exe" MD5: 41D0BFE78163967EFAD3C207926ADD4B) 
systeminfo.exe (PID: 5764 cmdline: systeminfo MD5: EE309A9C61511E907D87B10EF226FDCD) 
conhost.exe (PID: 1900 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
WmiPrvSE.exe (PID: 6500 cmdline: C:\Windows \system32\ wbem\wmipr vse.exe -s ecured -Em bedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51) - cmd.exe (PID: 6504 cmdline:
C:\Windows \system32\ cmd.exe /c "wmic com putersyste m get manu facturer" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 6468 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - WMIC.exe (PID: 4708 cmdline:
wmic compu tersystem get manufa cturer MD5: C37F2F4F4B3CD128BDABCAEB2266A785) 
WerFault.exe (PID: 6204 cmdline: C:\Windows \system32\ WerFault.e xe -u -p 5 364 -s 968 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PythonBackDoor_1 | Yara detected Python BackDoor | Joe Security | ||
| JoeSecurity_PythonBackDoor_1 | Yara detected Python BackDoor | Joe Security | ||
| JoeSecurity_PythonBackDoor_1 | Yara detected Python BackDoor | Joe Security |
⊘No Sigma rule has matched
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||