Edit tour
Windows
Analysis Report
VRO.exe
Overview
General Information
| Sample name: | VRO.exe |
| Analysis ID: | 1590666 |
| MD5: | 27a4ee022e76538e095fd1a9c5b7f615 |
| SHA1: | 0efdcef57a7c56a76ad0ec567379bd60c95aeeb1 |
| SHA256: | 5b275551f6800f8e73a363facef7835005afe746d15867750560f868f7ea9493 |
| Tags: | bot7711615259exeuser-JAMESWT_MHT |
| Infos: |   |
 | |
Detection
| Score: | 92 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Attempt to bypass Chrome Application-Bound Encryption
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Multi AV Scanner detection for dropped file
Yara detected Telegram Recon
AI detected suspicious sample
Drops PE files to the startup folder
Drops password protected ZIP file
Sigma detected: Potential Data Stealing Via Chromium Headless Debugging
Tries to harvest and steal browser information (history, passwords, etc)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Searches for user specific document files
Sigma detected: Browser Execution In Headless Mode
Sigma detected: Browser Started with Remote Debugging
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Yara detected Credential Stealer
Classification
- System is w10x64
VRO.exe (PID: 6748 cmdline: "C:\Users\ user\Deskt op\VRO.exe " MD5: 27A4EE022E76538E095FD1A9C5B7F615) 
chrome.exe (PID: 2144 cmdline: "C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --re mote-debug ging-port= 9977 --use r-data-dir ="C:\Users \user\AppD ata\Local\ Google\Chr ome\User D ata" --pro file-direc tory="Defa ult" --dis able-popup -blocking --disable- extensions --disable -gpu --dis able-softw are-raster izer --dis able-dev-s hm-usage - -no-sandbo x --disabl e-logging --disable- web-securi ty --allow -running-i nsecure-co ntent --ig nore-certi ficate-err ors --disa ble-featur es=Isolate Origins,si te-per-pro cess --dis able-blink -features= Automation Controlled --disable -backgroun d-networki ng --disab le-default -apps --di sable-hang -monitor - -disable-s ync --disa ble-client -side-phis hing-detec tion --dis able-backg round-time r-throttli ng --disab le-rendere r-backgrou nding --di sable-back grounding- occluded-w indows --d isable-ipc -flooding- protection --mute-au dio --wind ow-size=12 80,720 --w indow-posi tion=-3000 ,-3000 --h eadless MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - chrome.exe (PID: 2840 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-G B --servic e-sandbox- type=none --no-sandb ox --ignor e-certific ate-errors --use-ang le=swiftsh ader-webgl --use-gl= angle --mu te-audio - -ignore-ce rtificate- errors --h eadless -- disable-lo gging --mo jo-platfor m-channel- handle=188 4 --field- trial-hand le=1640,i, 1257766939 1714832986 ,177644481 2569567214 4,262144 - -disable-f eatures=Is olateOrigi ns,PaintHo lding,site -per-proce ss /prefet ch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - chrome.exe (PID: 4464 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --re mote-debug ging-port= 9685 --use r-data-dir ="C:\Users \user\AppD ata\Local\ Google\Chr ome\User D ata" --pro file-direc tory="Defa ult" --dis able-popup -blocking --disable- extensions --disable -gpu --dis able-softw are-raster izer --dis able-dev-s hm-usage - -no-sandbo x --disabl e-logging --disable- web-securi ty --allow -running-i nsecure-co ntent --ig nore-certi ficate-err ors --disa ble-featur es=Isolate Origins,si te-per-pro cess --dis able-blink -features= Automation Controlled --disable -backgroun d-networki ng --disab le-default -apps --di sable-hang -monitor - -disable-s ync --disa ble-client -side-phis hing-detec tion --dis able-backg round-time r-throttli ng --disab le-rendere r-backgrou nding --di sable-back grounding- occluded-w indows --d isable-ipc -flooding- protection --mute-au dio --wind ow-size=12 80,720 --w indow-posi tion=-3000 ,-3000 --h eadless MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - chrome.exe (PID: 5500 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-G B --servic e-sandbox- type=none --no-sandb ox --ignor e-certific ate-errors --use-ang le=swiftsh ader-webgl --use-gl= angle --mu te-audio - -ignore-ce rtificate- errors --h eadless -- disable-lo gging --mo jo-platfor m-channel- handle=149 6 --field- trial-hand le=1460,i, 1102398707 601110345, 1315563482 2924681398 ,262144 -- disable-fe atures=Iso lateOrigin s,PaintHol ding,site- per-proces s /prefetc h:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) 
msedge.exe (PID: 4408 cmdline: "C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --remot e-debuggin g-port=979 0 --user-d ata-dir="C :\Users\us er\AppData \Local\Mic rosoft\Edg e\User Dat a" --profi le-directo ry="Defaul t" --disab le-popup-b locking -- disable-ex tensions - -disable-g pu --disab le-softwar e-rasteriz er --disab le-dev-shm -usage --n o-sandbox --disable- logging -- disable-we b-security --allow-r unning-ins ecure-cont ent --igno re-certifi cate-error s --disabl e-features =IsolateOr igins,site -per-proce ss --disab le-blink-f eatures=Au tomationCo ntrolled - -disable-b ackground- networking --disable -default-a pps --disa ble-hang-m onitor --d isable-syn c --disabl e-client-s ide-phishi ng-detecti on --disab le-backgro und-timer- throttling --disable -renderer- background ing --disa ble-backgr ounding-oc cluded-win dows --dis able-ipc-f looding-pr otection - -mute-audi o --window -size=1280 ,720 --win dow-positi on=-3000,- 3000 --hea dless MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 4112 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --type= utility -- utility-su b-type=net work.mojom .NetworkSe rvice --la ng=en-GB - -service-s andbox-typ e=none --n o-sandbox --ignore-c ertificate -errors -- use-angle= swiftshade r-webgl -- use-gl=ang le --mute- audio --ig nore-certi ficate-err ors --head less --dis able-loggi ng --mojo- platform-c hannel-han dle=1628 - -field-tri al-handle= 1476,i,133 8636616504 3930171,24 2644509478 1743161,26 2144 --dis able-featu res=Isolat eOrigins,P aintHoldin g,site-per -process / prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 5868 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --remot e-debuggin g-port=953 0 --user-d ata-dir="C :\Users\us er\AppData \Local\Mic rosoft\Edg e\User Dat a" --profi le-directo ry="Defaul t" --disab le-popup-b locking -- disable-ex tensions - -disable-g pu --disab le-softwar e-rasteriz er --disab le-dev-shm -usage --n o-sandbox --disable- logging -- disable-we b-security --allow-r unning-ins ecure-cont ent --igno re-certifi cate-error s --disabl e-features =IsolateOr igins,site -per-proce ss --disab le-blink-f eatures=Au tomationCo ntrolled - -disable-b ackground- networking --disable -default-a pps --disa ble-hang-m onitor --d isable-syn c --disabl e-client-s ide-phishi ng-detecti on --disab le-backgro und-timer- throttling --disable -renderer- background ing --disa ble-backgr ounding-oc cluded-win dows --dis able-ipc-f looding-pr otection - -mute-audi o --window -size=1280 ,720 --win dow-positi on=-3000,- 3000 --hea dless MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 6948 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --type= utility -- utility-su b-type=net work.mojom .NetworkSe rvice --la ng=en-GB - -service-s andbox-typ e=none --n o-sandbox --ignore-c ertificate -errors -- use-angle= swiftshade r-webgl -- use-gl=ang le --mute- audio --ig nore-certi ficate-err ors --head less --dis able-loggi ng --mojo- platform-c hannel-han dle=1508 - -field-tri al-handle= 1456,i,482 6117100370 382439,155 4966449983 6610193,26 2144 --dis able-featu res=Isolat eOrigins,P aintHoldin g,site-per -process / prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_TelegramRecon | Yara detected Telegram Recon | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security |
System Summary |   |
|---|
| Source: | Author: Nasreddine Bencherchali (Nextron Systems): | ||