Loading... Additional Content is being loaded
Windows Analysis Report 6rfyiAq0nM
Overview
General Information
| Sample Name: | 6rfyiAq0nM (renamed file extension from none to msi) |
| Analysis ID: | 508222 |
| MD5: | 623673851fbb205eb0d1003cb892d4d6 |
| SHA1: | c541b4e10541bb0a6565ba8cc6b64d2480ef4437 |
| SHA256: | 71a98e982a9dde0ffcf9a46554b7abaf947ac4c33f3a3b35df1a58b0064d0704 |
| Tags: | msi |
| Infos: | |
|
Most interesting Screenshot:  |
|
Detection
Cookie Stealer
| Score: | 74 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected Cookie Stealer
Multi AV Scanner detection for submitted file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Query firmware table information (likely to detect VMs)
Allocates memory in foreign processes
Sigma detected: Suspicious Svchost Process
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Drops executables to the windows directory (C:\Windows) and starts them
Contains functionality to compare user and computer (likely to detect sandboxes)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Contains functionality to infect the boot sector
Contains functionality to steal Chrome passwords or cookies
Modifies the context of a thread in another process (thread injection)
Contains functionality to inject threads in other processes
Sets debug register (to hijack the execution of another thread)
Contains functionality to detect sleep reduction / modifications
Antivirus or Machine Learning detection for unpacked file
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to enumerate running services
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to simulate keystroke presses
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Contains functionality to retrieve information about pressed keystrokes
Checks for available system drives (often done to infect USB drives)
May check if the current machine is a sandbox (GetTickCount - Sleep)
Contains functionality to delete services
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Deletes files inside the Windows folder
Contains functionality to shutdown / reboot the system
Creates files inside the system directory
Contains functionality to clear windows event logs (to hide its activities)
PE file contains sections with non-standard names
Stores large binary data to the registry
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to communicate with device drivers
Contains functionality to read the clipboard data
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Enables debug privileges
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to launch a program with higher privileges
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries disk information (often used to detect virtual machines)
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality to simulate mouse events
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Classification
AV Detection: |
  |
|---|
| Multi AV Scanner detection for submitted file |
| Source: |
Virustotal: |
Perma Link | ||
| Source: |
ReversingLabs: |
|||
| Multi AV Scanner detection for domain / URL |
| Source: |
Virustotal: |
Perma Link | ||
| Multi AV Scanner detection for dropped file |
| Source: |
ReversingLabs: |
||
| Antivirus or Machine Learning detection for unpacked file |
| Source: |
Avira: |
||
| Source: |
Avira: |
||
| Source: |
Avira: |
||
| Source: |
Avira: |
||
| Source: |
Avira: |
||
| Source: |
Avira: |
||
| Source: |
Avira: |
||
| Source: |
Avira: |
||
| Source: |
Avira: |
||
| Source: |
Avira: |
||
| Source: |
Avira: |
||
| Source: |
Avira: |
||
| Source: |
Avira: |
||
| Source: |
Avira: |
||
| Source: |
Avira: |
||
| Source: |
Avira: |
||
| Source: |
Avira: |
||
| Source: |
Avira: |
||
| Source: |
Avira: |
||
| Source: |
Avira: |
||
| Source: |
Avira: |
||
| Source: |
Avira: |
||
| Source: |
Avira: |
||
| Source: |
Avira: |
||
| Source: |
Avira: |
||
| Source: |
Avira: |
||
| Source: |
Avira: |
||
| Source: |
Avira: |
||
| Source: |
Avira: |
||
| Source: |
Avira: |
||
| Source: |
Avira: |
||
| Source: |
Avira: |
||
| Source: |
Avira: |
||
| Source: |
Avira: |
||
| Source: |
Avira: |
||
| Source: |
Avira: |
||
Cryptography: |
|
|---|
| Uses Microsoft's Enhanced Cryptographic Provider |
| Source: |
Code function: |
16_2_0000012E198245C0 | |
| Source: |
Code function: |
16_2_0000012E19821320 | |
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
Spreading: |
|
|---|
| Checks for available system drives (often done to infect USB drives) |
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
Code function: |
13_2_04EC4560 | |
| Source: |
Code function: |
10_2_0040AEF4 | |
| Source: |
Code function: |
10_2_0040A928 | |
| Source: |
Code function: |
11_2_0040E6A0 | |
| Source: |
Code function: |
11_2_0060BC10 | |
| Source: |
Code function: |
11_2_0040E0D4 | |
| Source: |
Code function: |
11_2_006B76A0 | |
| Source: |
Code function: |
13_2_04EB4C20 | |
| Source: |
Code function: |
13_2_04EB56D0 | |
| Source: |
Code function: |
13_2_04EB4E30 | |
| Source: |
Code function: |
13_2_04EB57F0 | |
| Source: |
Code function: |
13_2_04EE97D9 | |
| Source: |
Code function: |
13_2_04EB42B0 | |
| Source: |
Code function: |
13_2_04EB6A30 | |
| Source: |
Code function: |
13_2_04EB53D0 | |
| Source: |
Code function: |
13_2_04EC7390 | |
| Source: |
Code function: |
14_2_0000024B7D0D5E30 | |
| Source: |
Code function: |
14_2_0000024B7D0EAE60 | |
| Source: |
Code function: |
14_2_0000024B7D0D57B0 | |
| Source: |
Code function: |
14_2_0000024B7D0D49FF | |
| Source: |
Code function: |
14_2_0000024B7D0D7A20 | |
| Source: |
Code function: |
14_2_0000024B7D0D4AE3 | |
| Source: |
Code function: |
14_2_0000024B7D0D63F0 | |
| Source: |
Code function: |
14_2_0000024B7D110478 | |
| Source: |
Code function: |
14_2_0000024B7D0D4B90 | |
| Source: |
Code function: |
16_2_0000012E17874AE3 | |
| Source: |
Code function: |
16_2_0000012E178749FF | |
| Source: |
Code function: |
16_2_0000012E17877A20 | |
| Source: |
Code function: |
16_2_0000012E178757B0 | |
| Source: |
Code function: |
16_2_0000012E17875E30 | |
| Source: |
Code function: |
16_2_0000012E1788AE60 | |
| Source: |
Code function: |
16_2_0000012E178B0478 | |
| Source: |
Code function: |
16_2_0000012E178763F0 | |
| Source: |
Code function: |
16_2_0000012E17874B90 | |
| Source: |
Code function: |
16_2_0000012E19805CF4 | |
| Source: |
Code function: |
16_2_0000012E19823D90 | |
| Source: |
Code function: |
16_2_0000012E198EB2F0 | |
| Source: |
Code function: |
17_2_00000204F3384B90 | |
| Source: |
Code function: |
17_2_00000204F33863F0 | |
| Source: |
Code function: |
17_2_00000204F33C0478 | |
| Source: |
Code function: |
17_2_00000204F3384AE3 | |
| Source: |
Code function: |
17_2_00000204F33849FF | |
| Source: |
Code function: |
17_2_00000204F3387A20 | |
| Source: |
Code function: |
17_2_00000204F33857B0 | |
| Source: |
Code function: |
17_2_00000204F3385E30 | |
| Source: |
Code function: |
17_2_00000204F339AE60 | |
Networking: |
|
|---|
| Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) |
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| System process connects to network (likely due to code injection or exploit) |
| Source: |
Domain query: |
||
| Uses a known web browser user agent for HTTP communication |
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| IP address seen in connection with other malware |
| Source: |
IP Address: |
||
| Source: |
IP Address: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
DNS traffic detected: |
||
| Source: |
Code function: |
13_2_04ECDFF0 | |
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: | ||