Edit tour
Windows
Analysis Report
PVKDyWHOaX.exe
Overview
General Information
| Sample name: | PVKDyWHOaX.exerenamed because original name is a hash value |
| Original sample name: | 07b5b4156d1f3adbb7728ba7a7d538af04e7cca8e396a19f5446bb2043a6e3db.exe |
| Analysis ID: | 1578839 |
| MD5: | 79ab86017b2c9b713d6af08086b1937f |
| SHA1: | 4214a09a7a12b341b9b5290b448e2a321a1f4566 |
| SHA256: | 07b5b4156d1f3adbb7728ba7a7d538af04e7cca8e396a19f5446bb2043a6e3db |
| Tags: | bankerexelatamPAGAMENTOS-DIGITAIS-LTDAtrojanuser-johnk3r |
| Infos: |   |
 | |
Detection
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Compliance
| Score: | 48 |
| Range: | 0 - 100 |
Signatures
Malicious encrypted Powershell command line found
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
.NET source code contains very large strings
AI detected suspicious sample
Bypasses PowerShell execution policy
Encrypted powershell cmdline option found
Found suspicious powershell code related to unpacking or dynamic code loading
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Powershell drops PE file
Powershell uses Background Intelligent Transfer Service (BITS)
Sigma detected: Potential Startup Shortcut Persistence Via PowerShell.EXE
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Switches to a custom stack to bypass stack traces
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Execution of Powershell with Base64
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses cacls to modify the permissions of files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
PVKDyWHOaX.exe (PID: 6412 cmdline: "C:\Users\ user\Deskt op\PVKDyWH OaX.exe" MD5: 79AB86017B2C9B713D6AF08086B1937F) 
powershell.exe (PID: 348 cmdline: "C:\Window s\system32 \windowspo wershell\v 1.0\powers hell.exe" -sta -nopr ofile -exe cutionpoli cy bypass -encodedco mmand JAB4 AD0AJwAyAG MAYgBiADYA NQA0AGUALQ A1AGMANgA0 AC0ANAAzAD kANwAtADkA MwA5ADUALQ AzAGYANgA0 ADEANQA2AD gAMwAwAGYA YQAnADsAJA B5AD0AJwBD ADoAXABVAH MAZQByAHMA XABhAGwAZg BvAG4AcwBc AEQAZQBzAG sAdABvAHAA XABQAFYASw BEAHkAVwBI AE8AYQBYAC 4AZQB4AGUA JwA7AHQAcg B5ACAAewAN AAoAIAAgAG kAZgAgACgA WwBFAG4Adg BpAHIAbwBu AG0AZQBuAH QAXQA6ADoA VgBlAHIAcw BpAG8AbgAu AE0AYQBqAG 8AcgAgAC0A ZwBlACAANA ApAA0ACgAg ACAAewAgAC QAbgB1AGwA bAAgAD0AIA BbAFIAZQBm AGwAZQBjAH QAaQBvAG4A LgBBAHMAcw BlAG0AYgBs AHkAXQA6AD oAVQBuAHMA YQBmAGUATA BvAGEAZABG AHIAbwBtAC gAJAB5ACkA IAB9ACAAZQ BsAHMAZQAg AHsAIAAkAG 4AdQBsAGwA IAA9ACAAWw BSAGUAZgBs AGUAYwB0AG kAbwBuAC4A QQBzAHMAZQ BtAGIAbAB5 AF0AOgA6AE wAbwBhAGQA RgBpAGwAZQ AoACQAeQAp AH0ADQAKAC AAIAAuACAA KABbAF8AMw AyAC4AXwA4 ADgAXQA6AD oAXwA3ADQA KAAkAHgAKQ ApAA0ACgAg ACAAZQB4AG kAdAAgACQA TABBAFMAVA BFAFgASQBU AEMATwBEAE UADQAKAH0A IAANAAoAYw BhAHQAYwBo ACAAWwBOAG 8AdABTAHUA cABwAG8Acg B0AGUAZABF AHgAYwBlAH AAdABpAG8A bgBdAA0ACg B7AA0ACgAg ACAAVwByAG kAdABlAC0A SABvAHMAdA AgACcAQQBw AHAAbABpAG MAYQB0AGkA bwBuACAAbA BvAGMAYQB0 AGkAbwBuAC AAaQBzACAA dQBuAHQAcg B1AHMAdABl AGQALgAgAE MAbwBwAHkA IABmAGkAbA BlACAAdABv ACAAYQAgAG wAbwBjAGEA bAAgAGQAcg BpAHYAZQAs ACAAYQBuAG QAIAB0AHIA eQAgAGEAZw BhAGkAbgAu ACcAIAAtAE YAbwByAGUA ZwByAG8AdQ BuAGQAQwBv AGwAbwByAC AAUgBlAGQA DQAKAH0ADQ AKAGMAYQB0 AGMAaAAgAH sADQAKACAA IABXAHIAaQ B0AGUALQBI AG8AcwB0AC AAKAAiAEUA cgByAG8Acg A6ACAAIgAg ACsAIAAkAF 8ALgBFAHgA YwBlAHAAdA BpAG8AbgAu AE0AZQBzAH MAYQBnAGUA KQAgAC0ARg BvAHIAZQAg AFIAZQBkAC AADQAKAH0A MD5: 04029E121A0CFA5991749937DD22A1D9) 
conhost.exe (PID: 6152 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
icacls.exe (PID: 7100 cmdline: "C:\Window s\system32 \icacls.ex e" C:\Nvid ia-75619 / grant Ever yone:F /T /C MD5: 48C87E3B3003A2413D6399EA77707F5D) 
WmiPrvSE.exe (PID: 1672 cmdline: C:\Windows \system32\ wbem\wmipr vse.exe -s ecured -Em bedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51) - icacls.exe (PID: 7464 cmdline:
"C:\Window s\system32 \icacls.ex e" C:\Nvid ia-75619\N vidia-7561 9.exe /gra nt Everyon e:F /T /C MD5: 48C87E3B3003A2413D6399EA77707F5D) 
Nvidia-75619.exe (PID: 7488 cmdline: "C:\Nvidia -75619\Nvi dia-75619. exe" MD5: D11828146FF9E2E340C555F9531CAC47)
- svchost.exe (PID: 2952 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s B ITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- Nvidia-75619.exe (PID: 7732 cmdline:
"C:\Nvidia -75619\Nvi dia-75619. exe" MD5: D11828146FF9E2E340C555F9531CAC47)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
|
System Summary |   |
|---|
| Source: | Author: Christopher Peacock '@securepeacock', SCYTHE: | ||
| Source: | Author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: | ||