Edit tour
Windows
Analysis Report
eQcKjYOV30.exe
Overview
General Information
| Sample Name: | eQcKjYOV30.exe |
| Analysis ID: | 795393 |
| MD5: | 84290327a8ab5af7ad02aee63fcb57f3 |
| SHA1: | 3a4a03db0ffa8a1a1fcdaea89ca5f15597599468 |
| SHA256: | 09c55db03356ef131aed108a5983b70994301132a3ac6f5743a0a6cb6bb83818 |
| Tags: | 32Cutwailexetrojan |
| Infos: |  |
 | |
Detection
Pushdo
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Yara detected Backdoor Pushdo
Multi AV Scanner detection for submitted file
Detected unpacking (overwrites its own PE header)
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Machine Learning detection for sample
Contains functionality to inject code into remote processes
Machine Learning detection for dropped file
Drops PE files to the user root directory
Contains functionality to inject threads in other processes
Contains functionality to compare user and computer (likely to detect sandboxes)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Connects to many different domains
Creates a DirectInput object (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Found evasive API chain checking for process token information
Connects to several IPs in different countries
Drops PE files to the user directory
Dropped file seen in connection with other malware
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality to query network adapater information
Classification
- System is w10x64
eQcKjYOV30.exe (PID: 5584 cmdline: C:\Users\u ser\Deskto p\eQcKjYOV 30.exe MD5: 84290327A8AB5AF7AD02AEE63FCB57F3)
- pigalicapi.exe (PID: 5000 cmdline:
"C:\Users\ user\pigal icapi.exe" MD5: 84290327A8AB5AF7AD02AEE63FCB57F3)
- pigalicapi.exe (PID: 5968 cmdline:
"C:\Users\ user\pigal icapi.exe" MD5: 84290327A8AB5AF7AD02AEE63FCB57F3)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Pushdo | Yara detected Backdoor Pushdo | Joe Security | ||
| JoeSecurity_Pushdo | Yara detected Backdoor Pushdo | Joe Security | ||
| JoeSecurity_Pushdo | Yara detected Backdoor Pushdo | Joe Security |
⊘No Sigma rule has matched
| Timestamp: | 192.168.2.5104.21.23.949704802016867 01/31/23-18:44:22.366128 |
| SID: | 2016867 |
| Source Port: | 49704 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | ReversingLabs: | |||
| Source: | Virustotal: | Perma Link | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | ReversingLabs: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Code function: | 0_2_00408A70 | |
| Source: | Code function: | 0_2_00408970 | |
| Source: | Code function: | 0_2_00408800 | |
| Source: | Code function: | 0_2_004047F0 | |
| Source: | Code function: | 0_2_00404BA0 | |
| Source: | Code function: | 0_2_00408BB0 | |
| Source: | Code function: | 0_2_00408CF0 | |
| Source: | Code function: | 0_2_00404880 | |
Compliance | |
|---|
| Source: | Unpacked PE file: | ||
| Source: | Unpacked PE file: | ||
| Source: | Unpacked PE file: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
Networking | |
|---|
| Source: | Snort IDS: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTP traffic detected: | ||