Edit tour
Windows
Analysis Report
Stub.exe
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
.NET source code contains potential unpacker
AI detected suspicious sample
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
- Stub.exe (PID: 3128 cmdline:
"C:\Users\ user\Deskt op\Stub.ex e" MD5: E50E5C919322AD54BD5ED6EEFBA01619) - cmd.exe (PID: 3964 cmdline:
"C:\Window s\System32 \cmd.exe" /c schtask s /create /f /sc onl ogon /rl h ighest /tn "gang" /t r '"C:\Use rs\user\Ap pData\Roam ing\gang.e xe"' & exi t MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 2764 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 1248 cmdline:
schtasks / create /f /sc onlogo n /rl high est /tn "g ang" /tr ' "C:\Users\ user\AppDa ta\Roaming \gang.exe" ' MD5: 48C2FE20575769DE916F48EF0676A965) - cmd.exe (PID: 4128 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\User s\user\App Data\Local \Temp\tmpA D4A.tmp.ba t"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 4352 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - timeout.exe (PID: 3712 cmdline:
timeout 3 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3) - gang.exe (PID: 5720 cmdline:
"C:\Users\ user\AppDa ta\Roaming \gang.exe" MD5: E50E5C919322AD54BD5ED6EEFBA01619)
- gang.exe (PID: 7116 cmdline:
C:\Users\u ser\AppDat a\Roaming\ gang.exe MD5: E50E5C919322AD54BD5ED6EEFBA01619)
- cleanup
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security |
System Summary |
---|
Source: | Author: Jonathan Cheong, oscd.community: |
Source: | Author: Jonathan Cheong, oscd.community: |
Source: | Author: Florian Roth (Nextron Systems): |
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira: |
Source: | Avira: |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Virustotal: | Perma Link |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | Static PE information: |
Networking |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | TCP traffic: |
Source: | IP Address: |
Source: | UDP traffic detected without corresponding DNS query: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: |
Operating System Destruction |
---|
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Process Stats: |
Source: | Code function: | 0_2_01080774 | |
Source: | Code function: | 0_2_010807C4 | |
Source: | Code function: | 0_2_01081792 | |
Source: | Code function: | 0_2_010807AA | |
Source: | Code function: | 0_2_010823C0 | |
Source: | Code function: | 8_2_01220774 | |
Source: | Code function: | 8_2_012223C8 | |
Source: | Code function: | 8_2_01221791 | |
Source: | Code function: | 8_2_012223C0 | |
Source: | Code function: | 9_2_028107C4 | |
Source: | Code function: | 9_2_02810774 | |
Source: | Code function: | 9_2_02811797 | |
Source: | Code function: | 9_2_02811D4F |
Source: | Code function: | 0_2_010869A8 | |
Source: | Code function: | 0_2_01081848 | |
Source: | Code function: | 0_2_01087278 | |
Source: | Code function: | 0_2_01086660 | |
Source: | Code function: | 8_2_012269A8 | |
Source: | Code function: | 8_2_01227278 | |
Source: | Code function: | 8_2_01226660 |
Source: | Static PE information: |
Source: | Base64 encoded string: |