Edit tour
Windows
Analysis Report
Q0cWJo6Jvh.exe
Overview
General Information
| Sample name: | Q0cWJo6Jvh.exerenamed because original name is a hash value |
| Original sample name: | 414753e6caa05ca4a49546cec841ef10.exe |
| Analysis ID: | 1528439 |
| MD5: | 414753e6caa05ca4a49546cec841ef10 |
| SHA1: | 998c0b4533f3e00eeacf441fbe29575198a574d4 |
| SHA256: | 5b9ed73fd7af6b0f9625ff30b925c84905e76b694a37e41d6207626b2fc3d2f6 |
| Tags: | 64exetrojan |
| Infos: |   |
 | |
Detection
| Score: | 80 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
AI detected suspicious sample
Modifies the windows firewall
Queries sensitive battery information (via WMI, Win32_Battery, often done to detect virtual machines)
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Tries to access browser extension known for cryptocurrency wallets
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses ipconfig to lookup or modify the Windows network settings
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Found evasive API chain (may stop execution after checking a module file name)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains an invalid checksum
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
Q0cWJo6Jvh.exe (PID: 5868 cmdline: "C:\Users\ user\Deskt op\Q0cWJo6 Jvh.exe" MD5: 414753E6CAA05CA4A49546CEC841EF10) 
install_2.dll (PID: 3064 cmdline: "C:\temp33 3\install_ 2.dll" MD5: D75BADD2424AF98CBB2DBEFEA073BE58) 
ybtrrus.exe (PID: 6916 cmdline: "C:\5p9SnC M5jV\ybtrr us.exe" MD5: 74D3F521A38B23CD25ED61E4F8D99F16) - schtasks.exe (PID: 6392 cmdline:
SCHTASKS / Query /TN "Boomer" MD5: 48C2FE20575769DE916F48EF0676A965) 
conhost.exe (PID: 5076 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 1616 cmdline:
"C:\Window s\System32 \cmd.exe" /C SCHTASK S /Create /F /RL HIG HEST /TN " Boomer" /T R "C:\5p9S nCM5jV\ybt rrus.exe" /SC ONLOGO N /DELAY 0 001:00 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 3472 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 7008 cmdline:
SCHTASKS / Create /F /RL HIGHES T /TN "Boo mer" /TR " C:\5p9SnCM 5jV\ybtrru s.exe" /SC ONLOGON / DELAY 0001 :00 MD5: 48C2FE20575769DE916F48EF0676A965) - cmd.exe (PID: 2268 cmdline:
"C:\Window s\System32 \cmd.exe" /C netsh a dvfirewall firewall add rule n ame="ybtrr us" dir=in action=al low progra m="C:\5p9S nCM5jV\ybt rrus.exe" enable=yes profile=a ny MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 2820 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - netsh.exe (PID: 6288 cmdline:
netsh advf irewall fi rewall add rule name ="ybtrrus" dir=in ac tion=allow program=" C:\5p9SnCM 5jV\ybtrru s.exe" ena ble=yes pr ofile=any MD5: 4E89A1A088BE715D6C946E55AB07C7DF) - cmd.exe (PID: 6684 cmdline:
cmd.exe /c ipconfig /flushdns MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 6284 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - ipconfig.exe (PID: 1708 cmdline:
ipconfig / flushdns MD5: 3A3B9A5E00EF6A3F83BF300E2B6B67BB)
- ybtrrus.exe (PID: 1764 cmdline:
C:\5p9SnCM 5jV\ybtrru s.exe MD5: 74D3F521A38B23CD25ED61E4F8D99F16) 
WerFault.exe (PID: 5936 cmdline: C:\Windows \SysWOW64\ WerFault.e xe -u -p 1 764 -s 556 MD5: C31336C1EFC2CCB44B4326EA793040F2)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_DelphiSystemParamCount | Detected Delphi use of System.ParamCount() | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_DelphiSystemParamCount | Detected Delphi use of System.ParamCount() | Joe Security |
System Summary |   |
|---|
| Source: | Author: Jonathan Cheong, oscd.community: | ||
| Source: | Author: Jonathan Cheong, oscd.community: | ||
| Source: | Author: Max Altgelt (Nextron Systems): | ||
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Code function: | 2_2_6D3601F0 | |
| Source: | Binary or memory string: | memstr_41989d32-0 | |
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 2_2_6D371F00 | |
| Source: | Code function: | 2_2_6D3716F0 | |
| Source: | Code function: | 5_2_6CAAC2D0 | |
| Source: | Code function: | 0_2_00007FF7798CFB16 | |
| Source: | Code function: | 0_2_00007FF7798CFA66 | |
| Source: | Code function: | 0_2_00007FF7798BDA66 | |
| Source: | Code function: | 0_2_00007FF7798CF9B6 | |
| Source: | Code function: | 0_2_00007FF7798D596D | |
| Source: | Code function: | 0_2_00007FF779899CC9 | |
| Source: | Code function: | 0_2_00007FF7798BBCC6 | |
| Source: | Code function: | 0_2_00007FF7798CFD06 | |
| Source: | Code function: | 0_2_00007FF7798BDC76 | |
| Source: | Code function: | 0_2_00007FF7798CFBC6 | |
| Source: | Code function: | 0_2_00007FF7798BDB26 | |
| Source: | Code function: | 0_2_00007FF7798BBED6 | |
| Source: | Code function: | 0_2_00007FF779853ED0 | |
| Source: | Code function: | 0_2_00007FF7798CFF16 | |
| Source: | Code function: | 0_2_00007FF7798BBE26 | |
| Source: | Code function: | 0_2_00007FF7798CFDC6 | |
| Source: | Code function: | 0_2_00007FF7798BDD36 | |
| Source: | Code function: | 0_2_00007FF7798BBD76 | |
| Source: | Code function: | 0_2_00007FF7798BC0C6 | |
| Source: | Code function: | 0_2_00007FF7798CE110 | |
| Source: | Code function: | 0_2_00007FF7798CE110 | |
| Source: | Code function: | 0_2_00007FF779830093 | |
| Source: | Code function: | 0_2_00007FF7798CFFD6 | |
| Source: | Code function: | 0_2_00007FF7798BC016 | |
| Source: | Code function: | 0_2_00007FF7798C7F40 | |
| Source: | Code function: | 0_2_00007FF7798AB26D | |
| Source: | Code function: | 0_2_00007FF7798C74E0 | |
| Source: | Code function: | 0_2_00007FF7798C74E0 | |
| Source: | Code function: | 0_2_00007FF7798CF716 | |
| Source: | Code function: | 0_2_00007FF7798CF666 | |
| Source: | Code function: | 0_2_00007FF779859850 | |
| Source: | Code function: | 0_2_00007FF7798CF876 | |
| Source: | Code function: | 0_2_00007FF7798CF7C6 | |
| Source: | Code function: | 0_2_00007FF7798AD7FD | |
| Source: | Code function: | 0_2_00007FF779887760 | |
| Source: | Code function: | 0_2_00007FF7798CAAC0 | |
| Source: | Code function: | 0_2_00007FF7798CAAC0 | |
| Source: | Code function: | 0_2_00007FF7798CEAF0 | |
| Source: | Code function: | 0_2_00007FF7798CEAF0 | |
| Source: | Code function: | 0_2_00007FF7798CC9C0 | |
| Source: | Code function: | 0_2_00007FF7798C8CA0 | |
| Source: | Code function: | 0_2_00007FF7798C4C90 | |
| Source: | Code function: | 0_2_00007FF7798CAD50 | |
| Source: | Code function: | 0_2_00007FF77989AD8C | |
| Source: | Code function: | 0_2_00007FF77989AF5C | |
| Source: | Code function: | 0_2_00007FF7798BC226 | |
| Source: | Code function: | 0_2_00007FF7798CA260 | |
| Source: | Code function: | 0_2_00007FF7798CA260 | |
| Source: | Code function: | 0_2_00007FF7798BC176 | |
| Source: | Code function: | 0_2_00007FF7798CA4F0 | |
| Source: | Code function: | 0_2_00007FF779890430 | |
| Source: | Code function: | 0_2_00007FF7798CC450 | |
| Source: | Code function: | 0_2_00007FF77984A439 | |
| Source: | Code function: | 0_2_00007FF77988C5B0 | |
| Source: | Code function: | 0_2_00007FF77989A5AC | |
| Source: | Code function: | 0_2_00007FF7798B65DA | |
| Source: | HTTP traffic detected: | ||