Edit tour
Windows
Analysis Report
Payment-Order #24560274 for 8,380 USD.exe
Overview
General Information
| Sample name: | Payment-Order #24560274 for 8,380 USD.exe |
| Analysis ID: | 1582316 |
| MD5: | eac2017286abefbd21b28e7f9fcab248 |
| SHA1: | 02f90ba750bf3801e286ecfbf3467110f8b2ef94 |
| SHA256: | e8f6dc455cea42a08feb8fcf5a34928864d537ec5ec905576cee58c9fabd6a5f |
| Tags: | exeuser-TeamDreier |
| Infos: |   |
 | |
Detection
AsyncRAT, PureLog Stealer, zgRAT
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected PureLog Stealer
Yara detected UAC Bypass using CMSTP
Yara detected zgRAT
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Disables UAC (registry)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Sample has a suspicious name (potential lure to open the executable)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Stores large binary data to the registry
Uses code obfuscation techniques (call, push, ret)
Yara signature match
Classification
- System is w10x64
Payment-Order #24560274 for 8,380 USD.exe (PID: 7256 cmdline: "C:\Users\ user\Deskt op\Payment -Order #24 560274 for 8,380 USD .exe" MD5: EAC2017286ABEFBD21B28E7F9FCAB248) 
powershell.exe (PID: 7352 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" Add-MpPref erence -Ex clusionPat h "C:\User s\user\Des ktop\Payme nt-Order # 24560274 f or 8,380 U SD.exe" -F orce MD5: 04029E121A0CFA5991749937DD22A1D9) 
conhost.exe (PID: 7360 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
WmiPrvSE.exe (PID: 7752 cmdline: C:\Windows \system32\ wbem\wmipr vse.exe -s ecured -Em bedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51) - CasPol.exe (PID: 7400 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Cas Pol.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B) - CasPol.exe (PID: 7424 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Cas Pol.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B) 
WerFault.exe (PID: 7520 cmdline: C:\Windows \system32\ WerFault.e xe -u -p 7 256 -s 102 8 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| AsyncRAT | AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques. | No Attribution |
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| zgRAT | zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on. | No Attribution |
{"Server": "91.223.3.156", "Ports": "7707,8808", "Version": "0.5.8", "Autorun": "false", "Install_Folder": "%AppData%", "AES_key": "Hhll9M0e4lNnAyASCeNxW0bZeqomPsnN", "Mutex": "TcNC0kSWrpnZ", "Certificate": "MIIE8jCCAtqgAwIBAgIQANuvcDyw7qEgH8/hHGWHqzANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjQwNTEyMTI0OTA3WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJdzTz3Veou5WnDQ98+tWByIlrDRKQGKkbazCczn0Ct7+4sThlLPimklMZ+f4RT57OsAzLlnLTtaFmOLqoZuOpHJXYjD1rjpx+gFScl9SBCVk8aDDCWBhDXe9cG4Vs5Eac3vPTYcOIJX8v/GB6NUvb1lXRgnlTYCttP50bgN1f4g+qbz4QFJx3VvXzka0jGewd+0elhblp5Y8Wp7otngd+SaMNDnLie9HNMUMY5al98pN0YGhUz3aPW6nV9lSlhI1Kp+PTrx3ubbSsqFgVTh3HhPELDFfYQhnbz7y5NKt478LHGHstq8qvpJd1RrmgUXqQ+U+yqvNnwWi1lC4x9exTZysfl6o/NL/YLIsy6PWAClqUMwrsVUEtvBkwnN+H9I4/z3jxaNaceFHKr2T0BhjLkwJxX/81HY2ChOigRmW6mtxM7PkMJek26H42rq9NTXnAniR2sOZAtU1Bse1E7dB3E8bgPVe8t0xlcoDJ1HBe8P5DRKGexuWBaWSI+/idWmPH6fdnQE4NjSkxc6jOIDaOz2B2CfuEuyza5FF23Qm3UIju4iBhbkkQ07ikYVh+KFFcmVJBV+SInQxSkKZRtm3fgCfCQSr9YHypuIVvoQg49wyw2K/tEBwBld7ChRpjrSiyZXFZyuad0C/oWTc0C4PrxmpOCrr/aEJkkzCXa7nWG5AgMBAAGjMjAwMB0GA1UdDgQWBBQ/VoJ/uA+0qEUprzCyevh/hBqWZjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQA9ap836unSmbz6tOLXiWOy7ichSRTjF8EN74dwIBcla5ooNT7FsljjZPMZJYswa8By4rYITjzSUo7gJ4H0zZcIeeLRLDMeDjfZaPgr/XPHXFQFvoEj1YxqSdGZopOsC29FZNn+WLSW63GLwifvlJxyJsnJqaI+q1HDri1YUP3v2G5dAD2hH91GCA85k0Pc5yQuHQdcNeRm02kmhApG1zwQHvdFerRlySMH/kh1smRrYOvm/MJirQQaNaaqQSmkfDQPzhAmnwoRjSC0kmpMVnlry1SkSM4VPPAm3p40MqLQO/m2AqB5Q8L8GdtWgXbownBmUAFyjEplt1Z0/ZydU9EE0LreZ1M9/a8QCJv7KVtDBjDWPvJLDsRrWm0CMacEeWvALYSe4XTtIOvEipXEOGzp2TFLdX2pfv+/Fencajt+UXTXrx6GdotOt/dFdPkMi1haoVO54TWkU4b+XvPKi1+Kk8xnBe9tKaAb2awepoL0Td1G8Irk1dPwEnZoDMQZ0xciH2o2jv5VjL9heestdAQqraDWHYmTE3Epp5JYSWAlEdiinW5KouF99gkXipUT/q3mCDofr+8fjCBIhbl9nxZF/sg5mB296IAeLYPACl+aemri2BHrbmvFSA8pI7nohDp/bYiZ1FY95CzrV9p8ndK+EKIiXgsuDVDUFJjlIEfGoA==", "ServerSignature": "GlhXKNjmzjDXgtTRaHnX+SERJTWzBcBCzkA9cgIj6m2wjHscqGrjpcsaoYwLMcVUakGcYPAWjiCliHGLyQWCFOXopGt7ELHBQQfpd8aBd3w64xqXupsUU6P4O+RetxxzVOcd3XKAaiklChhInWet1Gzl0ID0jgbLtOFt7a8NuuBAMbMA2dZNQF1OVjn6/DRD6OaMIpjCKxsaWc/AYzXNm2HWrPF+xCP7R0D3wRPHCEQRJVN8Vq5R/PLF8S8RQ8Sd4e58szJFfuBYZSBJY/78wme2ypko/zCtICugPhNCJZJfpgsLuN1S1RZn4ZdSIeOmNtfKn9aihq+v7PxETHQNHB9w/dSaX/sSiA7QXCcKfEP9BIz2M6y2RtpNNKoXefNFZGbAOrccR1rCKNMRQFS5BYX6SPNspVn8+tByTurwSO72cLt3gyzJ5FujulFr2r5++/cKOfb5qOeMaaDfFWE+eTdqtVhcDPS1pD34N1CgmB6vJ5GUzGLyTzKrRRDAYW2fqhV8/fwG/SPIXg4OWOnplp9MpIyHJmlT5kx11nHTpOnoestbHvZC/5o7xalNsbHUGJxODX0a5IbdhdmZkMnmhrNKRVcOG7NHsAU5fjrCdTqX7nl2no+Db5fRzrI2sXsAQa2ReYLXUBYrsbIIaKgeohuTpYuArU3ppZLQczpMbzU=", "BDOS": "false", "External_config_on_Pastebin": "null"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
| JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
| INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse | Detects file containing reversed ASEP Autorun registry keys | ditekSHen |
| |
| JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
| JoeSecurity_zgRAT_1 | Yara detected zgRAT | Joe Security | ||
| Click to see the 15 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
| JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
| Windows_Trojan_Asyncrat_11a11ba1 | unknown | unknown |
| |
| rat_win_asyncrat | Detect AsyncRAT based on specific strings | Sekoia.io |
| |
| INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse | Detects file containing reversed ASEP Autorun registry keys | ditekSHen |
| |
| Click to see the 28 entries | ||||
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): | ||
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-30T10:57:06.198518+0100 | 2035595 | 1 | Domain Observed Used for C2 Detected | 91.223.3.156 | 8808 | 192.168.2.5 | 49709 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-30T10:57:06.198518+0100 | 2035607 | 1 | Domain Observed Used for C2 Detected | 91.223.3.156 | 8808 | 192.168.2.5 | 49709 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-30T10:57:06.198518+0100 | 2842478 | 1 | Malware Command and Control Activity Detected | 91.223.3.156 | 8808 | 192.168.2.5 | 49709 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Malware Configuration Extractor: | ||