Edit tour
Windows
Analysis Report
file.exe
Overview
General Information
| Sample name: | file.exe |
| Analysis ID: | 1583479 |
| MD5: | 7e33585d157419e39fb4d232c9f0c5dc |
| SHA1: | 1cf4864a9b009e12534cc299c14466f2b2c9cea3 |
| SHA256: | 027a4baf9864a23fe09d99be3a6f83d1841e47aac2f94d313d2580e84d1b1b39 |
| Tags: | exeuser-jstrosch |
| Infos: |   |
 | |
Detection
XRed
| Score: | 72 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XRed
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA with functions possibly related to HTTP operations
Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)
Drops PE files to the document folder of the user
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses dynamic DNS services
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
Found evaded block containing many API calls
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the installation date of Windows
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Classification
- System is w10x64
file.exe (PID: 4456 cmdline: "C:\Users\ user\Deskt op\file.ex e" MD5: 7E33585D157419E39FB4D232C9F0C5DC) 
._cache_file.exe (PID: 2312 cmdline: "C:\Users\ user\Deskt op\._cache _file.exe" MD5: F0248D477E74687C5619AE16498B13D4) - ._cache_file.exe (PID: 1608 cmdline:
"C:\Window s\Temp\{85 7E71F0-569 F-4069-9DB C-4DC89A81 22EE}\.cr\ ._cache_fi le.exe" -b urn.clean. room="C:\U sers\user\ Desktop\._ cache_file .exe" -bur n.filehand le.attache d=544 -bur n.filehand le.self=64 8 MD5: 843288FD72A1152B50B4E4B7344BB592) - Synaptics.exe (PID: 7024 cmdline:
"C:\Progra mData\Syna ptics\Syna ptics.exe" InjUpdate MD5: B753207B14C635F29B2ABF64F603570A) 
WerFault.exe (PID: 7944 cmdline: C:\Windows \SysWOW64\ WerFault.e xe -u -p 7 024 -s 388 0 MD5: C31336C1EFC2CCB44B4326EA793040F2) - WerFault.exe (PID: 7968 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 7 024 -s 392 8 MD5: C31336C1EFC2CCB44B4326EA793040F2)
EXCEL.EXE (PID: 6784 cmdline: "C:\Progra m Files (x 86)\Micros oft Office \Root\Offi ce16\EXCEL .EXE" /aut omation -E mbedding MD5: 4A871771235598812032C822E6F68F19)
- Synaptics.exe (PID: 7300 cmdline:
"C:\Progra mData\Syna ptics\Syna ptics.exe" MD5: B753207B14C635F29B2ABF64F603570A)
- cleanup
{"C2 url": "xred.mooo.com", "Email": "xredline1@gmail.com", "Payload urls": ["http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978", "https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download", "https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1", "http://xred.site50.net/syn/SUpdate.ini", "https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download", "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1", "http://xred.site50.net/syn/Synaptics.rar", "https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download", "https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1", "http://xred.site50.net/syn/SSLLibrary.dll"]}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_XRed | Yara detected XRed | Joe Security | ||
| JoeSecurity_DelphiSystemParamCount | Detected Delphi use of System.ParamCount() | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_XRed | Yara detected XRed | Joe Security | ||
| JoeSecurity_DelphiSystemParamCount | Detected Delphi use of System.ParamCount() | Joe Security | ||
| JoeSecurity_XRed | Yara detected XRed | Joe Security | ||
| JoeSecurity_DelphiSystemParamCount | Detected Delphi use of System.ParamCount() | Joe Security | ||
| JoeSecurity_XRed | Yara detected XRed | Joe Security | ||
| Click to see the 1 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_XRed | Yara detected XRed | Joe Security | ||
| JoeSecurity_XRed | Yara detected XRed | Joe Security | ||
| JoeSecurity_DelphiSystemParamCount | Detected Delphi use of System.ParamCount() | Joe Security | ||
| JoeSecurity_XRed | Yara detected XRed | Joe Security | ||
| JoeSecurity_XRed | Yara detected XRed | Joe Security |
System Summary |   |
|---|
| Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): | ||
| Source: | Author: Nasreddine Bencherchali (Nextron Systems): | ||
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-02T20:31:46.328562+0100 | 2044887 | 1 | A Network Trojan was detected | 192.168.2.4 | 49735 | 142.250.185.110 | 443 | TCP |
| 2025-01-02T20:31:46.392653+0100 | 2044887 | 1 | A Network Trojan was detected | 192.168.2.4 | 49736 | 142.250.185.110 | 443 | TCP |
| 2025-01-02T20:31:47.456664+0100 | 2044887 | 1 | A Network Trojan was detected | 192.168.2.4 | 49743 | 142.250.185.110 | 443 | TCP |
| 2025-01-02T20:31:47.476921+0100 | 2044887 | 1 | A Network Trojan was detected | 192.168.2.4 | 49740 | 142.250.185.110 | 443 | TCP |
| 2025-01-02T20:31:48.537935+0100 | 2044887 | 1 | A Network Trojan was detected | 192.168.2.4 | 49746 | 142.250.185.110 | 443 | TCP |
| 2025-01-02T20:31:48.597163+0100 | 2044887 | 1 | A Network Trojan was detected | 192.168.2.4 | 49745 | 142.250.185.110 | 443 | TCP |
| 2025-01-02T20:31:49.610571+0100 | 2044887 | 1 | A Network Trojan was detected | 192.168.2.4 | 49751 | 142.250.185.110 | 443 | TCP |
| 2025-01-02T20:31:49.731228+0100 | 2044887 | 1 | A Network Trojan was detected | 192.168.2.4 | 49754 | 142.250.185.110 | 443 | TCP |
| 2025-01-02T20:31:51.609795+0100 | 2044887 | 1 | A Network Trojan was detected | 192.168.2.4 | 49766 | 142.250.185.110 | 443 | TCP |
| 2025-01-02T20:31:51.610243+0100 | 2044887 | 1 | A Network Trojan was detected | 192.168.2.4 | 49765 | 142.250.185.110 | 443 | TCP |
| 2025-01-02T20:31:52.653553+0100 | 2044887 | 1 | A Network Trojan was detected | 192.168.2.4 | 49770 | 142.250.185.110 | 443 | TCP |
| 2025-01-02T20:31:52.667440+0100 | 2044887 | 1 | A Network Trojan was detected | 192.168.2.4 | 49772 | 142.250.185.110 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-02T20:31:47.265511+0100 | 2832617 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49739 | 69.42.215.252 | 80 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Code function: | 1_2_00919EB7 | |
| Source: | Code function: | 1_2_0093F961 | |
| Source: | Code function: | 1_2_00919C99 | |
| Source: | Code function: | 2_2_00CF9EB7 | |
| Source: | Code function: | 2_2_00D1F961 | |
| Source: | Code function: | 2_2_00CF9C99 | |
| Source: | Static PE information: | ||
| Source: | Window detected: | ||