Edit tour
Windows
Analysis Report
fJe9em23BB.exe
Overview
General Information
Detection
Fabookie, ManusCrypt, Nymaim, PrivateLoader, Raccoon Stealer v2, RedLine
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Yara detected RedLine Stealer
Detected unpacking (overwrites its own PE header)
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Antivirus detection for dropped file
Snort IDS alert for network traffic
Yara detected Raccoon Stealer v2
Multi AV Scanner detection for submitted file
Yara detected Fabookie
Malicious sample detected (through community Yara rule)
Yara detected Nymaim
Yara detected ManusCrypt
Multi AV Scanner detection for dropped file
Yara detected PrivateLoader
Disable Windows Defender real time protection (registry)
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to detect sandboxes and other dynamic analysis tools (window names)
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Creates processes via WMI
Machine Learning detection for sample
Drops PE files to the document folder of the user
Allocates memory in foreign processes
May check the online IP address of the machine
Injects a PE file into a foreign processes
Tries to evade analysis by execution special instruction (VM detection)
Tries to detect virtualization through RDTSC time measurements
Creates a thread in another existing process (thread injection)
Modifies Group Policy settings
Hides that the sample has been downloaded from the Internet (zone.identifier)
Tries to harvest and steal browser information (history, passwords, etc)
PE file contains section with special chars
Hides threads from debuggers
Detected VMProtect packer
Writes to foreign memory regions
Tries to steal Crypto Currency Wallets
Creates HTML files with .exe extension (expired dropper behavior)
Found C&C like URL pattern
Yara detected Generic Downloader
Machine Learning detection for dropped file
Disables Windows Defender (deletes autostart)
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Sets debug register (to hijack the execution of another thread)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
PE file contains more sections than normal
Launches processes in debugging mode, may be used to hinder debugging
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Creates files inside the system directory
PE file contains sections with non-standard names
Stores large binary data to the registry
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
Entry point lies outside standard sections
Enables debug privileges
Is looking for software installed on the system
Sample file is different than original file name gathered from version info
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
PE file contains an invalid checksum
Extensive use of GetProcAddress (often used to hide API calls)
Allocates memory with a write watch (potentially for evading sandboxes)
File is packed with WinRar
Contains capabilities to detect virtual machines
Uses taskkill to terminate processes
Queries disk information (often used to detect virtual machines)
Classification
- System is w10x64
- fJe9em23BB.exe (PID: 832 cmdline:
"C:\Users\ user\Deskt op\fJe9em2 3BB.exe" MD5: E18B3707FF095F5DD8EAC23474E25809) - GWafJDbetTJK0ciVGh5n0Df1.exe (PID: 6360 cmdline:
"C:\Users\ user\Pictu res\Minor Policy\GWa fJDbetTJK0 ciVGh5n0Df 1.exe" MD5: 106078BB0964B75800DA2013419239D9) - 0RWCjOTmPGy8vyz30vD2T7Gp.exe (PID: 6368 cmdline:
"C:\Users\ user\Pictu res\Minor Policy\0RW CjOTmPGy8v yz30vD2T7G p.exe" MD5: 7C21DE05BE518F55C847F18E46F4F65D) - control.exe (PID: 6760 cmdline:
"C:\Window s\System32 \control.e xe" "C:\Us ers\user\A ppData\Loc al\Temp\VP Gy.cpL", MD5: 40FBA3FBFD5E33E0DE1BA45472FDA66F) - rundll32.exe (PID: 7016 cmdline:
"C:\Window s\system32 \rundll32. exe" Shell 32.dll,Con trol_RunDL L "C:\User s\user\App Data\Local \Temp\VPGy .cpL", MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D) - rundll32.exe (PID: 4584 cmdline:
C:\Windows \system32\ RunDll32.e xe Shell32 .dll,Contr ol_RunDLL "C:\Users\ user\AppDa ta\Local\T emp\VPGy.c pL", MD5: 73C519F050C20580F8A62C849D49215A) - rundll32.exe (PID: 4484 cmdline:
"C:\Window s\SysWOW64 \rundll32. exe" "C:\W indows\Sys WOW64\shel l32.dll",# 44 "C:\Use rs\user\Ap pData\Loca l\Temp\VPG y.cpL", MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D) - VSVo7xFGZNVBCHvpzHHk7X6w.exe (PID: 6376 cmdline:
"C:\Users\ user\Pictu res\Minor Policy\VSV o7xFGZNVBC HvpzHHk7X6 w.exe" MD5: 77D8DF4427C8B1A28C8D2591A9C92A70) - ze5tCopHgrlItmsTQGIZcUK1.exe (PID: 6384 cmdline:
"C:\Users\ user\Pictu res\Minor Policy\ze5 tCopHgrlIt msTQGIZcUK 1.exe" MD5: 9519C85C644869F182927D93E8E25A33) - 3IvnW3Tihs6HZPHX18cvdMMt.exe (PID: 6412 cmdline:
"C:\Users\ user\Pictu res\Minor Policy\3Iv nW3Tihs6HZ PHX18cvdMM t.exe" MD5: D33F5C381C8A2DC544C313355BA4EB64) - is-L9EAU.tmp (PID: 6772 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\is-H5K LL.tmp\is- L9EAU.tmp" /SL4 $203 DC "C:\Use rs\user\Pi ctures\Min or Policy\ 3IvnW3Tihs 6HZPHX18cv dMMt.exe" 2324125 52 736 MD5: FEC7BFF4C36A4303ADE51E3ED704E708) - ccsearcher.exe (PID: 6328 cmdline:
"C:\Progra m Files (x 86)\ccSear cher\ccsea rcher.exe" MD5: 0545F55B7F65691C450919EE98E9C6B8) - cmd.exe (PID: 5292 cmdline:
"C:\Window s\System32 \cmd.exe" /c taskkil l /im "ccs earcher.ex e" /f & er ase "C:\Pr ogram File s (x86)\cc Searcher\c csearcher. exe" & exi t MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 4880 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - taskkill.exe (PID: 2620 cmdline:
taskkill / im "ccsear cher.exe" /f MD5: 15E2E0ACD891510C6268CB8899F2A1A1) - aJLVqZit29LEEhRpCpbwWX8O.exe (PID: 6420 cmdline:
"C:\Users\ user\Pictu res\Minor Policy\aJL VqZit29LEE hRpCpbwWX8 O.exe" MD5: 469B0C97D2AA9A03581536D485BC8864) - GnPinkNTKlMRD3bjBO0oh3Wa.exe (PID: 6428 cmdline:
"C:\Users\ user\Pictu res\Minor Policy\GnP inkNTKlMRD 3bjBO0oh3W a.exe" MD5: 76000A1A15850FCAA06877E21F7EB348) - conhost.exe (PID: 6540 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - lxZuX__vSUgWYReh9N0WlQOa.exe (PID: 6436 cmdline:
"C:\Users\ user\Pictu res\Minor Policy\lxZ uX__vSUgWY Reh9N0WlQO a.exe" MD5: 2EF8DA551CF5AB2AB6E3514321791EAB) - conhost.exe (PID: 6484 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - lxZuX__vSUgWYReh9N0WlQOa.exe (PID: 6904 cmdline:
"C:\Users\ user\Pictu res\Minor Policy\lxZ uX__vSUgWY Reh9N0WlQO a.exe" -h MD5: 2EF8DA551CF5AB2AB6E3514321791EAB) - conhost.exe (PID: 6956 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - S4FBxlLjDvaMdcwHZaTlWrII.exe (PID: 6444 cmdline:
"C:\Users\ user\Pictu res\Minor Policy\S4F BxlLjDvaMd cwHZaTlWrI I.exe" MD5: 83FD77104C17653424A3D3894DBE8793)
- WmiPrvSE.exe (PID: 6304 cmdline:
C:\Windows \system32\ wbem\wmipr vse.exe -s ecured -Em bedding MD5: A782A4ED336750D10B3CAF776AFE8E70) - rundll32.exe (PID: 4656 cmdline:
rundll32.e xe "C:\Use rs\user\Ap pData\Loca l\Temp\db. dll",open MD5: 73C519F050C20580F8A62C849D49215A) - rundll32.exe (PID: 2020 cmdline:
rundll32.e xe "C:\Use rs\user\Ap pData\Loca l\Temp\db. dll",open MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D) - svchost.exe (PID: 4960 cmdline:
c:\windows \system32\ svchost.ex e -k netsv cs -p -s A ppinfo MD5: 32569E403279B3FD2EDB7EBD036273FA) - svchost.exe (PID: 5228 cmdline:
C:\Windows \system32\ svchost.ex e -k WspSe rvice MD5: 32569E403279B3FD2EDB7EBD036273FA)
- cleanup
{"C2 addresses": ["208.67.104.97"]}
{"C2 url": "94.228.116.72:7597", "Bot Id": "Fire7"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | ||
JoeSecurity_RedLine_1 | Yara detected RedLine Stealer | Joe Security | ||
JoeSecurity_RaccoonV2 | Yara detected Raccoon Stealer v2 | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
MALWARE_Win_DLInjector06 | Detects downloader / injector | ditekSHen |
| |
MALWARE_Win_DLInjector06 | Detects downloader / injector | ditekSHen |
| |
MALWARE_Win_DLInjector06 | Detects downloader / injector | ditekSHen |
| |
MALWARE_Win_DLInjector06 | Detects downloader / injector | ditekSHen |
| |
MALWARE_Win_DLInjector06 | Detects downloader / injector | ditekSHen |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_RaccoonV2 | Yara detected Raccoon Stealer v2 | Joe Security | ||
SUSP_XORed_MSDOS_Stub_Message | Detects suspicious XORed MSDOS stub message | Florian Roth |
| |
JoeSecurity_ManusCrypt | Yara detected ManusCrypt | Joe Security | ||
Windows_Trojan_Generic_a681f24a | unknown | unknown |
| |
JoeSecurity_RaccoonV2 | Yara detected Raccoon Stealer v2 | Joe Security | ||
Click to see the 83 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | ||
MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen |
| |
JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | ||
JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen |
| |
Click to see the 64 entries |
⊘No Sigma rule has matched
Timestamp: | 192.168.2.6116.203.105.11749758802034192 09/02/22-14:02:19.491810 |
SID: | 2034192 |
Source Port: | 49758 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | URL Reputation: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: |
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | ReversingLabs: | |||
Source: | Metadefender: | Perma Link | ||
Source: | ReversingLabs: | |||
Source: | ReversingLabs: | |||
Source: | ReversingLabs: | |||
Source: | ReversingLabs: | |||
Source: | Metadefender: | Perma Link | ||
Source: | Metadefender: | Perma Link | ||
Source: | ReversingLabs: | |||
Source: | ReversingLabs: | |||
Source: | ReversingLabs: | |||
Source: | Metadefender: | Perma Link | ||
Source: | ReversingLabs: | |||
Source: | ReversingLabs: | |||
Source: | Metadefender: | Perma Link | ||
Source: | ReversingLabs: | |||
Source: | ReversingLabs: | |||
Source: | ReversingLabs: | |||
Source: | Metadefender: | Perma Link | ||
Source: | ReversingLabs: | |||
Source: | Metadefender: | Perma Link | ||
Source: | ReversingLabs: | |||
Source: | ReversingLabs: | |||
Source: | ReversingLabs: | |||
Source: | ReversingLabs: | |||
Source: | Metadefender: | Perma Link |
Source: | Joe Sandbox ML: |
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: |
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: |
Source: | Malware Configuration Extractor: | ||
Source: | Malware Configuration Extractor: |
Compliance |
---|
Source: | Unpacked PE file: |
Source: | Static PE information: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Binary string: |
Spreading |
---|
Source: | File source: |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | Code function: | 14_2_00862AF9 | |
Source: | Code function: | 14_2_00871260 | |
Source: | Code function: | 14_2_0087FCC8 | |
Source: | Code function: | 16_2_009BA931 |
Networking |
---|
Source: | Domain query: |
Source: | Snort IDS: |
Source: | File source: |
Source: | DNS query: | ||
Source: | DNS query: | ||
Source: | DNS query: | ||
Source: | DNS query: |
Source: | File created: | ||
Source: | File created: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | IPs: |
Source: | HTTP traffic detected: |