Edit tour
Windows
Analysis Report
SecuriteInfo.com.W32.Kryptik.LKE.gen.Eldorado.17641.17677.exe
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Machine Learning detection for dropped file
Machine Learning detection for sample
AV process strings found (often used to terminate AV products)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
One or more processes crash
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match
Classification
- System is w10x64
- SecuriteInfo.com.W32.Kryptik.LKE.gen.Eldorado.17641.17677.exe (PID: 3152 cmdline:
"C:\Users\ user\Deskt op\Securit eInfo.com. W32.Krypti k.LKE.gen. Eldorado.1 7641.17677 .exe" MD5: B1281430B4F8C39015940B1E5DC9D569) - WerFault.exe (PID: 2656 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 3 152 -s 740 MD5: C31336C1EFC2CCB44B4326EA793040F2) - WerFault.exe (PID: 6328 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 3 152 -s 748 MD5: C31336C1EFC2CCB44B4326EA793040F2) - WerFault.exe (PID: 7068 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 3 152 -s 776 MD5: C31336C1EFC2CCB44B4326EA793040F2) - WerFault.exe (PID: 2708 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 3 152 -s 788 MD5: C31336C1EFC2CCB44B4326EA793040F2) - WerFault.exe (PID: 1188 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 3 152 -s 924 MD5: C31336C1EFC2CCB44B4326EA793040F2) - WerFault.exe (PID: 7068 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 3 152 -s 101 6 MD5: C31336C1EFC2CCB44B4326EA793040F2) - WerFault.exe (PID: 4908 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 3 152 -s 128 4 MD5: C31336C1EFC2CCB44B4326EA793040F2) - WerFault.exe (PID: 5264 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 3 152 -s 150 8 MD5: C31336C1EFC2CCB44B4326EA793040F2) - WerFault.exe (PID: 1464 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 3 152 -s 154 0 MD5: C31336C1EFC2CCB44B4326EA793040F2)
- cleanup
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
Windows_Trojan_RedLineStealer_ed346e4c | unknown | unknown |
| |
Windows_Trojan_Smokeloader_3687686f | unknown | unknown |
|
⊘No Sigma rule has matched
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: |
Source: | Joe Sandbox ML: |
Source: | Code function: | 0_2_004034B0 | |
Source: | Code function: | 0_2_02173717 |
Compliance |
---|
Source: | Unpacked PE file: |
Source: | Static PE information: |
Source: | File opened: | Jump to behavior |
Source: | HTTP traffic detected: |