Edit tour
Windows
Analysis Report
GyTbKONlyq.exe
Overview
General Information
| Sample Name: | GyTbKONlyq.exe |
| Original Sample Name: | 00dfb3bda309b0e16f6ea1928ce72721.exe |
| Analysis ID: | 809557 |
| MD5: | 00dfb3bda309b0e16f6ea1928ce72721 |
| SHA1: | bd0ecf684b7c85d3a6b8054f2c136c1103cdc184 |
| SHA256: | fb4950bff0a9a33d985477a59208c9dc05198d186cc0009f0ebba58a3ecc8046 |
| Tags: | exeSmokeLoader |
| Infos: |  |
 | |
Detection
Pushdo, DanaBot, SmokeLoader
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Yara detected DanaBot stealer dll
Detected unpacking (overwrites its own PE header)
Yara detected SmokeLoader
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Detected unpacking (creates a PE file in dynamic memory)
Snort IDS alert for network traffic
Yara detected Backdoor Pushdo
Yara detected UAC Bypass using CMSTP
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Maps a DLL or memory area into another process
PE file has a writeable .text section
Machine Learning detection for sample
Deletes itself after installation
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to infect the boot sector
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Found evasive API chain checking for process token information
Checks if the current process is being debugged
Drops PE files to the user directory
Dropped file seen in connection with other malware
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to shutdown / reboot the system
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Connects to many different domains
Creates a DirectInput object (often for capturing keystrokes)
AV process strings found (often used to terminate AV products)
Installs a raw input device (often for capturing keystrokes)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries disk information (often used to detect virtual machines)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Classification
- System is w10x64
GyTbKONlyq.exe (PID: 5436 cmdline: C:\Users\u ser\Deskto p\GyTbKONl yq.exe MD5: 00DFB3BDA309B0E16F6EA1928CE72721) 
explorer.exe (PID: 3528 cmdline: C:\Windows \Explorer. EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D) 
D2B5.exe (PID: 6116 cmdline: C:\Users\u ser\AppDat a\Local\Te mp\D2B5.ex e MD5: 7CB3BB706DBEF286C79433E12F459EB2) 
B7BD.exe (PID: 5372 cmdline: C:\Users\u ser\AppDat a\Local\Te mp\B7BD.ex e MD5: 95BF7AA7949C549B0B92405A4EC9E475) 
3896.exe (PID: 1636 cmdline: C:\Users\u ser\AppDat a\Local\Te mp\3896.ex e MD5: A0114856020C2A20C6C85A7DB2027B03)
- gjsvvic (PID: 4768 cmdline:
C:\Users\u ser\AppDat a\Roaming\ gjsvvic MD5: 00DFB3BDA309B0E16F6EA1928CE72721)
- B7BD.exe (PID: 3176 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\B7BD.e xe" MD5: 95BF7AA7949C549B0B92405A4EC9E475)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Pushdo | Pushdo is usually classified as a "downloader" trojan - meaning its true purpose is to download and install additional malicious software. There are dozens of downloader trojan families out there, but Pushdo is actually more sophisticated than most, but that sophistication lies in the Pushdo control server rather than the trojan. | No Attribution |
{"C2 list": ["http://perficut.at/tmp/", "http://rutobacco.ru/tmp/", "http://aingular.com/tmp /", "http://piratia-life.ru/tmp/"]}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| Windows_Trojan_Smokeloader_3687686f | unknown | unknown |
| |
| Windows_Trojan_RedLineStealer_ed346e4c | unknown | unknown |
| |
| JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | ||
| Windows_Trojan_Smokeloader_4e31426e | unknown | unknown |
| |
| JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | ||
| Click to see the 15 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Pushdo | Yara detected Backdoor Pushdo | Joe Security | ||
| JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
| INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM | Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) | ditekSHen |
| |
| JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
| INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM | Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) | ditekSHen |
| |
| Click to see the 3 entries | ||||
⊘No Sigma rule has matched
| Timestamp: | 192.168.2.486.122.83.14249697802851815 02/16/23-10:01:19.336000 |
| SID: | 2851815 |
| Source Port: | 49697 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Avira URL Cloud: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Malware Configuration Extractor: | ||
Exploits | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Compliance | |
|---|
| Source: | Unpacked PE file: | ||
| Source: | Unpacked PE file: | ||
| Source: | Unpacked PE file: | ||
| Source: | Static PE information: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
Networking | |
|---|
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Domain query: | |||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Domain query: | |||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Domain query: | |||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Snort IDS: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | JA3 fingerprint: | ||
| Source: | HTTP traffic detected: | ||