Loading... Additional Content is being loaded
Windows
Analysis Report
ZOL2mIYAUH.exe
Overview
General Information
| Sample name: | ZOL2mIYAUH.exerenamed because original name is a hash value |
| Original sample name: | 789473143f4f1465f0221fca36ac25f48cae1223f51c9d6219544b27879ec3a6.exe |
| Analysis ID: | 1561594 |
| MD5: | 12395d08dc0bfe12e63605328ddd982f |
| SHA1: | 51ceb544e3900fb85fe7aada564d081219464d1d |
| SHA256: | 789473143f4f1465f0221fca36ac25f48cae1223f51c9d6219544b27879ec3a6 |
| Tags: | exeuser-Chainskilabs |
| Infos: |   |
 |
|
Detection
Phemedrone Stealer, PureLog Stealer, XWorm, zgRAT
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Generic Stealer
Yara detected Phemedrone Stealer
Yara detected PureLog Stealer
Yara detected XWorm
Yara detected zgRAT
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious values (likely registry only malware)
Drops PE files to the user root directory
Drops PE files with a suspicious file extension
Hides threads from debuggers
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to query locales information (e.g. system language)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: SCR File Write Event
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Suspicious Screensaver Binary File Creation
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match
Classification
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| XWorm | Malware with wide range of capabilities ranging from RAT to ransomware. | No Attribution |
|
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| zgRAT | zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on. | No Attribution |
|
AV Detection |
  |
|---|
| Source: |
Avira: |
||
| Source: |
Avira URL Cloud: |
||
| Source: |
Avira URL Cloud: |
||
| Source: |
Avira URL Cloud: |
||
| Source: |
Avira: |
||
| Source: |
Avira: |
||
| Source: |
Avira: |
||
| Source: |
Malware Configuration Extractor: |
||
| Source: |
ReversingLabs: |
||
| Source: |
ReversingLabs: |
||
| Source: |
ReversingLabs: |
||
| Source: |
ReversingLabs: |
||
| Source: |
ReversingLabs: |
||
| Source: |
Integrated Neural Analysis Model: |
||
| Source: |
Joe Sandbox ML: |
||
| Source: |
Joe Sandbox ML: |
||
| Source: |
Joe Sandbox ML: |
||
| Source: |
Joe Sandbox ML: |
||
Compliance |
|
|---|
| Source: |
Unpacked PE file: |
||
| Source: |
Unpacked PE file: |
||
| Source: |
Unpacked PE file: |
||
| Source: |
Static PE information: |
||
| Source: |
HTTPS traffic detected: |
||
| Source: |
HTTPS traffic detected: |
||
| Source: |
Binary string: |
||
| Source: |
Code function: |
0_2_00469CD8 | |
| Source: |
Code function: |
23_2_00D33CD8 | |
Networking |
|
|---|
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
URLs: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
TCP traffic: |
||
| Source: |
HTTP traffic detected: | ||