Edit tour
Windows
Analysis Report
hloRQZmlfg.exe
Overview
General Information
Sample name: | hloRQZmlfg.exerenamed because original name is a hash value |
Original sample name: | cee4e023e6afaaa51f600caec3469215.exe |
Analysis ID: | 1528586 |
MD5: | cee4e023e6afaaa51f600caec3469215 |
SHA1: | bf2ceff1f19f09a70863d1f8c7be0fa9662b3b04 |
SHA256: | da52143dd6a13c1ea3e24e735f64938830e2a3160ae08989629a43e5020d1173 |
Tags: | 32exetrojan |
Infos: | |
Detection
RDPWrap Tool
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a new user with administrator rights
Allows multiple concurrent remote connection
Enables remote desktop connection
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sigma detected: Outbound RDP Connections Over Non-Standard Tools
Sigma detected: RDP Sensitive Settings Changed
Uses netsh to modify the Windows network and firewall settings
Yara detected Costura Assembly Loader
Yara detected RDPWrap Tool
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality to enumerate running services
Contains functionality to query locales information (e.g. system language)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
One or more processes crash
PE file contains executable resources (Code or Archives)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: New User Created Via Net.EXE
Spawns drivers
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
- hloRQZmlfg.exe (PID: 2444 cmdline:
"C:\Users\ user\Deskt op\hloRQZm lfg.exe" MD5: CEE4E023E6AFAAA51F600CAEC3469215) - cmd.exe (PID: 432 cmdline:
"cmd.exe" /c net use r MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 6052 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 504 cmdline:
"cmd.exe" /c "C:\Use rs\user\Ap pData\Loca l\Temp\RDP WInst.exe" -i MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 6872 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - RDPWInst.exe (PID: 1564 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\RDPWIns t.exe -i MD5: C213162C86BB943BCDF91B3DF381D2F6) - netsh.exe (PID: 2344 cmdline:
netsh advf irewall fi rewall add rule name ="Remote D esktop" di r=in proto col=tcp lo calport=33 89 profile =any actio n=allow MD5: 6F1E6DD688818BC3D1391D0CC7D597EB) - cmd.exe (PID: 2112 cmdline:
"cmd.exe" /c net use r RDPUser_ 1e47a393 G Edtvn58rfd r /add MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 4820 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 4700 cmdline:
"cmd.exe" /c net loc algroup MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 760 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 6712 cmdline:
"cmd.exe" /c netsh a dvfirewall firewall add rule n ame="RDP" dir=in act ion=allow protocol=t cp localpo rt=3389 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7132 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - netsh.exe (PID: 1856 cmdline:
netsh advf irewall fi rewall add rule name ="RDP" dir =in action =allow pro tocol=tcp localport= 3389 MD5: 4E89A1A088BE715D6C946E55AB07C7DF) - cmd.exe (PID: 2464 cmdline:
"cmd.exe" /c net loc algroup "A dministrat ors" RDPUs er_1e47a39 3 /add MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 5656 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - WerFault.exe (PID: 1512 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 2 444 -s 275 6 MD5: C31336C1EFC2CCB44B4326EA793040F2)
- rdpvideominiport.sys (PID: 4 cmdline:
MD5: 77FF15B9237D62A5CBC6C80E5B20A492)
- rdpdr.sys (PID: 4 cmdline:
MD5: 64991B36F0BD38026F7589572C98E3D6)
- tsusbhub.sys (PID: 4 cmdline:
MD5: CC6D4A26254EB72C93AC848ECFCFB4AF)
- cleanup
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_RDPWrapTool | Yara detected RDPWrap Tool | Joe Security | ||
JoeSecurity_DelphiSystemParamCount | Detected Delphi use of System.ParamCount() | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
JoeSecurity_DelphiSystemParamCount | Detected Delphi use of System.ParamCount() | Joe Security | ||
JoeSecurity_DelphiSystemParamCount | Detected Delphi use of System.ParamCount() | Joe Security | ||
JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
JoeSecurity_RDPWrapTool | Yara detected RDPWrap Tool | Joe Security | ||
Click to see the 3 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
JoeSecurity_RDPWrapTool | Yara detected RDPWrap Tool | Joe Security | ||
JoeSecurity_DelphiSystemParamCount | Detected Delphi use of System.ParamCount() | Joe Security | ||
JoeSecurity_RDPWrapTool | Yara detected RDPWrap Tool | Joe Security | ||
JoeSecurity_DelphiSystemParamCount | Detected Delphi use of System.ParamCount() | Joe Security |
System Summary |
---|
Source: | Author: Markus Neis: |
Source: | Author: Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali: |
Source: | Author: Max Altgelt (Nextron Systems): |
Source: | Author: Endgame, JHasenbusch (adapted to Sigma for oscd.community): |
Source: | Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: |
Source: | Author: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements): |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-10-08T03:23:43.830864+0200 | 2803305 | 3 | Unknown Traffic | 192.168.2.8 | 49710 | 104.26.12.205 | 80 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira: |
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | Directory created: | Jump to behavior | ||
Source: | Directory created: | Jump to behavior | ||
Source: | Directory created: | Jump to behavior |
Source: | HTTPS traffic detected: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |