Edit tour
Windows
Analysis Report
#U2800.exe
Overview
General Information
| Sample name: | #U2800.exerenamed because original name is a hash value |
| Original sample name: | .exe |
| Analysis ID: | 1590648 |
| MD5: | 95c636b47af9e07f311f711c5328aeb8 |
| SHA1: | f7a8813526b1a4db89c1500bb404ce60815f7693 |
| SHA256: | 2660a4d5ea4ef545d592d52b6f6bb5324de87e589d764ff6117271153835f0fd |
| Tags: | exeuser-JAMESWT_MHT |
| Infos: |   |
 | |
Detection
| Score: | 80 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Attempt to bypass Chrome Application-Bound Encryption
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Yara detected Telegram Recon
AI detected suspicious sample
Drops password protected ZIP file
Sigma detected: Potential Data Stealing Via Chromium Headless Debugging
Tries to harvest and steal browser information (history, passwords, etc)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Searches for user specific document files
Sigma detected: Browser Execution In Headless Mode
Sigma detected: Browser Started with Remote Debugging
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Classification
- System is w10x64
#U2800.exe (PID: 6944 cmdline: "C:\Users\ user\Deskt op\#U2800. exe" MD5: 95C636B47AF9E07F311F711C5328AEB8) 
msedge.exe (PID: 7116 cmdline: "C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --remot e-debuggin g-port=962 6 --user-d ata-dir="C :\Users\us er\AppData \Local\Mic rosoft\Edg e\User Dat a" --profi le-directo ry="Defaul t" --disab le-popup-b locking -- disable-ex tensions - -disable-g pu --disab le-softwar e-rasteriz er --disab le-dev-shm -usage --n o-sandbox --disable- logging -- disable-cr ash-report er --disab le-web-sec urity --al low-runnin g-insecure -content - -ignore-ce rtificate- errors --d isable-fea tures=Isol ateOrigins ,site-per- process -- disable-bl ink-featur es=Automat ionControl led --disa ble-backgr ound-netwo rking --di sable-defa ult-apps - -disable-h ang-monito r --disabl e-sync --d isable-cli ent-side-p hishing-de tection -- disable-ba ckground-t imer-throt tling --di sable-rend erer-backg rounding - -disable-b ackgroundi ng-occlude d-windows --disable- ipc-floodi ng-protect ion --disa ble-site-i solation-t rials --mu te-audio - -window-si ze=1280,72 0 --window -position= -3000,-300 0 --headle ss MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 4192 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --type= utility -- utility-su b-type=net work.mojom .NetworkSe rvice --la ng=en-GB - -service-s andbox-typ e=none --n o-sandbox --ignore-c ertificate -errors -- use-angle= swiftshade r-webgl -- use-gl=ang le --mute- audio --ig nore-certi ficate-err ors --head less --dis able-loggi ng --mojo- platform-c hannel-han dle=1496 - -field-tri al-handle= 1412,i,188 0480402354 006827,168 3441286412 184854,262 144 --disa ble-featur es=Isolate Origins,Pa intHolding ,site-per- process /p refetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F) 
chrome.exe (PID: 7164 cmdline: "C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --re mote-debug ging-port= 9940 --use r-data-dir ="C:\Users \user\AppD ata\Local\ Google\Chr ome\User D ata" --pro file-direc tory="Defa ult" --dis able-popup -blocking --disable- extensions --disable -gpu --dis able-softw are-raster izer --dis able-dev-s hm-usage - -no-sandbo x --disabl e-logging --disable- crash-repo rter --dis able-web-s ecurity -- allow-runn ing-insecu re-content --ignore- certificat e-errors - -disable-f eatures=Is olateOrigi ns,site-pe r-process --disable- blink-feat ures=Autom ationContr olled --di sable-back ground-net working -- disable-de fault-apps --disable -hang-moni tor --disa ble-sync - -disable-c lient-side -phishing- detection --disable- background -timer-thr ottling -- disable-re nderer-bac kgrounding --disable -backgroun ding-occlu ded-window s --disabl e-ipc-floo ding-prote ction --di sable-site -isolation -trials -- mute-audio --window- size=1280, 720 --wind ow-positio n=-3000,-3 000 --head less MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - chrome.exe (PID: 7328 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-G B --servic e-sandbox- type=none --no-sandb ox --ignor e-certific ate-errors --use-ang le=swiftsh ader-webgl --use-gl= angle --mu te-audio - -ignore-ce rtificate- errors --h eadless -- disable-lo gging --mo jo-platfor m-channel- handle=158 8 --field- trial-hand le=1420,i, 1476449075 6503719994 ,120817135 3784610449 1,262144 - -disable-f eatures=Is olateOrigi ns,PaintHo lding,site -per-proce ss /prefet ch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) 
WINWORD.EXE (PID: 7472 cmdline: "C:\Progra m Files (x 86)\Micros oft Office \Root\Offi ce16\WINWO RD.EXE" /n "C:\Users \user\Docu ments\Your _Benefits_ and_Role.d ocx" /o "" MD5: 1A0C2C2E7D9C4BC18E91604E9B0C7678)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_TelegramRecon | Yara detected Telegram Recon | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security |
System Summary |   |
|---|
| Source: | Author: Nasreddine Bencherchali (Nextron Systems): | ||