Create Interactive Tour
Windows
Analysis Report
lzxbD4wR0g.exe
Overview
General Information
| Sample Name: | lzxbD4wR0g.exe |
| Analysis ID: | 724697 |
| MD5: | c890f96e19ee27909df744b788477006 |
| SHA1: | 3561aaad032a7a8697763f05247b4ae80c2aaf56 |
| SHA256: | 2d0e058a8b228d5218137814147c05674d5c5ad8d0614f80cd088dba156204e2 |
| Infos: |  |
 | |
Detection
Sality
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Yara detected Sality
Antivirus detection for dropped file
Writes to foreign memory regions
PE file has a writeable .text section
Deletes keys which are related to windows safe boot (disables safe mode boot)
Disables user account control notifications
Changes security center settings (notifications, updates, antivirus, firewall)
Machine Learning detection for sample
Allocates memory in foreign processes
May modify the system service descriptor table (often done to hook functions)
Machine Learning detection for dropped file
Modifies the windows firewall
Contains functionality to inject threads in other processes
Disables UAC (registry)
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
May infect USB drives
Detected potential crypto function
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Modifies existing windows services
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Classification
- System is w10x64
lzxbD4wR0g.exe (PID: 1248 cmdline: C:\Users\u ser\Deskto p\lzxbD4wR 0g.exe MD5: C890F96E19EE27909DF744B788477006) 
explorer.exe (PID: 1244 cmdline: explorer.e xe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7) - fontdrvhost.exe (PID: 684 cmdline:
fontdrvhos t.exe MD5: 31113981180E69C2773BCADA4051738A) 
WerFault.exe (PID: 1348 cmdline: C:\Windows \SysWOW64\ WerFault.e xe -u -p 1 248 -s 832 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Sality | Yara detected Sality | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Sality | Yara detected Sality | Joe Security | ||
| INDICATOR_EXE_Packed_SimplePolyEngine | Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality | ditekSHen |
| |
| JoeSecurity_Sality | Yara detected Sality | Joe Security | ||
| INDICATOR_EXE_Packed_SimplePolyEngine | Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality | ditekSHen |
| |
| INDICATOR_EXE_Packed_SimplePolyEngine | Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality | ditekSHen |
|
⊘No Sigma rule has matched
⊘No Snort rule has matched
- • AV Detection
- • Compliance
- • Spreading
- • Networking
- • System Summary
- • Data Obfuscation
- • Persistence and Installation Behavior
- • Boot Survival
- • Hooking and other Techniques for Hiding and Protection
- • Malware Analysis System Evasion
- • Anti Debugging
- • HIPS / PFW / Operating System Protection Evasion
- • Language, Device and Operating System Detection
- • Lowering of HIPS / PFW / Operating System Security Settings
- • Remote Access Functionality
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Avira: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Avira: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
Spreading | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||