Loading... Additional Content is being loaded
Windows
Analysis Report
h8jGj6Qe78.exe
Overview
General Information
| Sample name: | h8jGj6Qe78.exerenamed because original name is a hash value |
| Original sample name: | fd192fb05e0cd219b14c5bf345f33cfb.exe |
| Analysis ID: | 1502474 |
| MD5: | fd192fb05e0cd219b14c5bf345f33cfb |
| SHA1: | fbadb3784b44770045f6c84f3cc2db34e1b6863a |
| SHA256: | 0599250511b7b3ec63303fa14e98edef3092d61614e07106cf274bd6d43b2451 |
| Tags: | exeStealc |
| Infos: |   |
 |
|
Detection
CryptOne, SmokeLoader, Stealc, Vidar
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Benign windows process drops PE files
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected CryptOne packer
Yara detected Powershell download and execute
Yara detected SmokeLoader
Yara detected Stealc
Yara detected Vidar stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Drops PE files with a suspicious file extension
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Sample uses process hollowing technique
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Suspicious Command Patterns In Scheduled Task Creation
Sigma detected: WScript or CScript Dropper
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript called in batch mode (surpress errors)
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops files with a non-matching file extension (content does not match file extension)
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
Sigma detected: SCR File Write Event
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Suspicious Screensaver Binary File Creation
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Sleep loop found (likely to delay execution)
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara detected Keylogger Generic
Yara signature match
Classification
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| SmokeLoader | The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body. |
|
|
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Stealc | Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. | No Attribution |
|
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Vidar | Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. | No Attribution |
|
AV Detection |
  |
|---|
| Source: |
Avira URL Cloud: |
||
| Source: |
Avira URL Cloud: |
||
| Source: |
Avira URL Cloud: |
||
| Source: |
Avira URL Cloud: |
||
| Source: |
Avira URL Cloud: |
||
| Source: |
Avira URL Cloud: |
||
| Source: |
Avira URL Cloud: |
||
| Source: |
Avira URL Cloud: |
||
| Source: |
Avira URL Cloud: |
||
| Source: |
Avira URL Cloud: |
||
| Source: |
Avira URL Cloud: |
||
| Source: |
Avira URL Cloud: |
||
| Source: |
Avira URL Cloud: |
||
| Source: |
Avira URL Cloud: |
||
| Source: |
Avira URL Cloud: |
||
| Source: |
Avira URL Cloud: |
||
| Source: |
Avira URL Cloud: |
||
| Source: |
Avira URL Cloud: |
||
| Source: |
Avira URL Cloud: |
||
| Source: |
Avira URL Cloud: |
||
| Source: |
Avira URL Cloud: |
||
| Source: |
Avira URL Cloud: |
||
| Source: |
Avira URL Cloud: |
||
| Source: |
Avira URL Cloud: |
||
| Source: |
Avira URL Cloud: |
||
| Source: |
Avira URL Cloud: |
||
| Source: |
Malware Configuration Extractor: |
||
| Source: |
Malware Configuration Extractor: |
||
| Source: |
Malware Configuration Extractor: |
||
| Source: |
Virustotal: |
Perma Link | ||
| Source: |
Virustotal: |
Perma Link | ||
| Source: |
Virustotal: |
Perma Link | ||
| Source: |
Virustotal: |
Perma Link | ||
| Source: |
Virustotal: |
Perma Link | ||
| Source: |
Virustotal: |
Perma Link | ||
| Source: |
ReversingLabs: |
||
| Source: |
ReversingLabs: |
||
| Source: |
ReversingLabs: |
|||
| Source: |
Virustotal: |
Perma Link | ||
| Source: |
Integrated Neural Analysis Model: |
||
| Source: |
Joe Sandbox ML: |
||
| Source: |
Joe Sandbox ML: |
||
| Source: |
Joe Sandbox ML: |
||
| Source: |
Code function: |
29_2_6C846C80 | |
| Source: |
Code function: |
29_2_6C99A9A0 | |
| Source: |
Code function: |
29_2_6C9944C0 | |
| Source: |
Code function: |
29_2_6C964420 | |
| Source: |
Code function: |
29_2_6C994440 | |
| Source: |
Code function: |
29_2_6C9E25B0 | |
| Source: |
Code function: |
29_2_6C97E6E0 | |
| Source: |
Code function: |
29_2_6C99A650 | |
| Source: |
Code function: |
29_2_6C978670 | |
| Source: |
Code function: |
29_2_6C9BA730 | |
| Source: |
Code function: |
29_2_6C9C0180 | |
| Source: |
Code function: |
29_2_6C9943B0 | |
| Source: |
Code function: |
29_2_6C9B7C00 | |
| Source: |
Code function: |
29_2_6C9BBD30 | |
| Source: |
Code function: |
29_2_6C977D60 | |
| Source: |
Code function: |
29_2_6C9B9EC0 | |
| Source: |
Code function: |
29_2_6C993FF0 | |
| Source: |
Static PE information: |
||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
HTTPS traffic detected: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
| Source: |
Code function: |
7_2_004062EB | |
| Source: |
Code function: |
7_2_00406CB1 | |
| Source: |
Code function: |
25_2_00E84005 | |
| Source: |
Code function: |
25_2_00E8C2FF | |
| Source: |
Code function: |
25_2_00E8494A | |
| Source: |
Code function: |
25_2_00E8CD9F | |
| Source: |
Code function: |
25_2_00E8CD14 | |
| Source: |
Code function: |
25_2_00E8F5D8 | |
| Source: |
Code function: |
25_2_00E8F735 | |
| Source: |
Code function: |
25_2_00E8FA36 | |
| Source: |
Code function: |
25_2_00E83CE2 | |
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
Networking |
|
|---|
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
Network Connect: |
Jump to behavior | ||
| Source: |
Network Connect: |
Jump to behavior | ||
| Source: |
Network Connect: |
Jump to behavior | ||
| Source: |
Network Connect: |
Jump to behavior | ||
| Source: |
URLs: |
||
| Source: |
URLs: |
||
| Source: |
URLs: |
||
| Source: |
URLs: |
||
| Source: |
URLs: |
||
| Source: |
URLs: |
||
| Source: |
TCP traffic: |
||
| Source: |
HTTP traffic detected: | ||