Loading ...

Analysis Report 23Payment Advice-Hotel-layoutr-equirement-2902344175.exe

Overview

General Information

Joe Sandbox Version:25.0.0 Tiger's Eye
Analysis ID:123514
Start date:15.04.2019
Start time:22:36:47
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 4m 46s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:23Payment Advice-Hotel-layoutr-equirement-2902344175.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:10
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal84.phis.troj.spyw.evad.winEXE@8/1@0/1
EGA Information:Failed
HDC Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, wermgr.exe, conhost.exe, CompatTelRunner.exe, svchost.exe
  • Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: 23Payment Advice-Hotel-layoutr-equirement-2902344175.exe, 23Payment Advice-Hotel-layoutr-equirement-2902344175.exe

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold840 - 100falsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook
Sample monitors Window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsWindows Remote ManagementWinlogon Helper DLLProcess Injection411Hidden Users1Input Capture11Process Discovery1Application Deployment SoftwareInput Capture11Data CompressedUncommonly Used Port1
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesDisabling Security Tools1Credentials in Files1Security Software Discovery1Remote ServicesData from Local System1Exfiltration Over Other Network MediumFallback Channels
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesPath InterceptionSoftware Packing1Input CaptureSystem Information Discovery11Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic Protocol
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingProcess Injection411Credentials in FilesSystem Network Configuration DiscoveryLogon ScriptsInput CaptureData EncryptedMultiband Communication

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus and Machine Learning detection for unpacked fileShow sources
Source: 7.2.23Payment Advice-Hotel-layoutr-equirement-2902344175.exe.400000.0.unpackAvira: Label: TR/RedCap.ghjpt
Source: 7.1.23Payment Advice-Hotel-layoutr-equirement-2902344175.exe.400000.0.unpackAvira: Label: TR/RedCap.ghjpt

Networking:

barindex
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.2.6:49833 -> 185.234.218.225:5200
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 185.234.218.225
Source: unknownTCP traffic detected without corresponding DNS query: 185.234.218.225
Source: unknownTCP traffic detected without corresponding DNS query: 185.234.218.225
Source: unknownTCP traffic detected without corresponding DNS query: 185.234.218.225
Source: unknownTCP traffic detected without corresponding DNS query: 185.234.218.225
Source: unknownTCP traffic detected without corresponding DNS query: 185.234.218.225
Source: unknownTCP traffic detected without corresponding DNS query: 185.234.218.225
Source: unknownTCP traffic detected without corresponding DNS query: 185.234.218.225
Source: unknownTCP traffic detected without corresponding DNS query: 185.234.218.225
Source: unknownTCP traffic detected without corresponding DNS query: 185.234.218.225
Source: unknownTCP traffic detected without corresponding DNS query: 185.234.218.225
Source: unknownTCP traffic detected without corresponding DNS query: 185.234.218.225
Source: unknownTCP traffic detected without corresponding DNS query: 185.234.218.225
Source: unknownTCP traffic detected without corresponding DNS query: 185.234.218.225
Source: unknownTCP traffic detected without corresponding DNS query: 185.234.218.225
Source: unknownTCP traffic detected without corresponding DNS query: 185.234.218.225
Source: unknownTCP traffic detected without corresponding DNS query: 185.234.218.225
Source: unknownTCP traffic detected without corresponding DNS query: 185.234.218.225
Source: unknownTCP traffic detected without corresponding DNS query: 185.234.218.225
Source: unknownTCP traffic detected without corresponding DNS query: 185.234.218.225
Source: unknownTCP traffic detected without corresponding DNS query: 185.234.218.225
Source: unknownTCP traffic detected without corresponding DNS query: 185.234.218.225
Source: unknownTCP traffic detected without corresponding DNS query: 185.234.218.225
Source: unknownTCP traffic detected without corresponding DNS query: 185.234.218.225
Source: unknownTCP traffic detected without corresponding DNS query: 185.234.218.225
Source: unknownTCP traffic detected without corresponding DNS query: 185.234.218.225
Source: unknownTCP traffic detected without corresponding DNS query: 185.234.218.225
Source: unknownTCP traffic detected without corresponding DNS query: 185.234.218.225
Source: unknownTCP traffic detected without corresponding DNS query: 185.234.218.225
Source: unknownTCP traffic detected without corresponding DNS query: 185.234.218.225
Source: unknownTCP traffic detected without corresponding DNS query: 185.234.218.225
Source: unknownTCP traffic detected without corresponding DNS query: 185.234.218.225
Source: unknownTCP traffic detected without corresponding DNS query: 185.234.218.225
Source: unknownTCP traffic detected without corresponding DNS query: 185.234.218.225
Source: unknownTCP traffic detected without corresponding DNS query: 185.234.218.225
Source: unknownTCP traffic detected without corresponding DNS query: 185.234.218.225
Source: unknownTCP traffic detected without corresponding DNS query: 185.234.218.225
Source: unknownTCP traffic detected without corresponding DNS query: 185.234.218.225
Source: unknownTCP traffic detected without corresponding DNS query: 185.234.218.225
Source: unknownTCP traffic detected without corresponding DNS query: 185.234.218.225
Source: unknownTCP traffic detected without corresponding DNS query: 185.234.218.225
Source: unknownTCP traffic detected without corresponding DNS query: 185.234.218.225
Source: unknownTCP traffic detected without corresponding DNS query: 185.234.218.225
Source: unknownTCP traffic detected without corresponding DNS query: 185.234.218.225
Source: unknownTCP traffic detected without corresponding DNS query: 185.234.218.225
Source: unknownTCP traffic detected without corresponding DNS query: 185.234.218.225
Source: unknownTCP traffic detected without corresponding DNS query: 185.234.218.225
Source: unknownTCP traffic detected without corresponding DNS query: 185.234.218.225
Source: unknownTCP traffic detected without corresponding DNS query: 185.234.218.225
Source: unknownTCP traffic detected without corresponding DNS query: 185.234.218.225
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: unknown unknown
Urls found in memory or binary dataShow sources
Source: 23Payment Advice-Hotel-layoutr-equirement-2902344175.exe, 00000007.00000002.8674429918.0000000003598000.00000004.sdmpString found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: 23Payment Advice-Hotel-layoutr-equirement-2902344175.exe, 00000007.00000002.8674429918.0000000003598000.00000004.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: 23Payment Advice-Hotel-layoutr-equirement-2902344175.exe, 00000007.00000002.8674429918.0000000003598000.00000004.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: 23Payment Advice-Hotel-layoutr-equirement-2902344175.exe, 00000007.00000002.8674429918.0000000003598000.00000004.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
Source: 23Payment Advice-Hotel-layoutr-equirement-2902344175.exe, 00000007.00000002.8674429918.0000000003598000.00000004.sdmpString found in binary or memory: http://ocsp.digicert.com0
Source: 23Payment Advice-Hotel-layoutr-equirement-2902344175.exe, 00000007.00000002.8674429918.0000000003598000.00000004.sdmpString found in binary or memory: http://ocsp.digicert.com0B
Source: 23Payment Advice-Hotel-layoutr-equirement-2902344175.exe, 00000007.00000002.8674429918.0000000003598000.00000004.sdmpString found in binary or memory: http://ocsp.pki.goog/gsr202
Source: 23Payment Advice-Hotel-layoutr-equirement-2902344175.exe, 00000007.00000001.7948166555.0000000000400000.00000040.sdmpString found in binary or memory: http://www.google.comhttp://5.206.225.104/dll/softokn3.dllhttp://5.206.225.104/dll/msvcp140.dllhttp:
Source: 23Payment Advice-Hotel-layoutr-equirement-2902344175.exe, 00000007.00000001.7948166555.0000000000400000.00000040.sdmpString found in binary or memory: https://github.com/syohex/java-simple-mine-sweeperC:
Source: 23Payment Advice-Hotel-layoutr-equirement-2902344175.exe, 00000007.00000002.8674429918.0000000003598000.00000004.sdmpString found in binary or memory: https://pki.goog/repository/0
Source: 23Payment Advice-Hotel-layoutr-equirement-2902344175.exe, 00000007.00000002.8674429918.0000000003598000.00000004.sdmpString found in binary or memory: https://www.digicert.com/CPS0

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Installs a raw input device (often for capturing keystrokes)Show sources
Source: 23Payment Advice-Hotel-layoutr-equirement-2902344175.exe, 00000007.00000001.7948166555.0000000000400000.00000040.sdmpBinary or memory string: GetRawInputData

System Summary:

barindex
Initial sample is a PE file and has a suspicious nameShow sources
Source: initial sampleStatic PE information: Filename: 23Payment Advice-Hotel-layoutr-equirement-2902344175.exe
Creates mutexesShow sources
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4196:120:WilError_01
PE file contains strange resourcesShow sources
Source: 23Payment Advice-Hotel-layoutr-equirement-2902344175.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: 23Payment Advice-Hotel-layoutr-equirement-2902344175.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\23Payment Advice-Hotel-layoutr-equirement-2902344175.exeFile read: C:\Users\user\Desktop\23Payment Advice-Hotel-layoutr-equirement-2902344175.exeJump to behavior
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\23Payment Advice-Hotel-layoutr-equirement-2902344175.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\Desktop\23Payment Advice-Hotel-layoutr-equirement-2902344175.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\Desktop\23Payment Advice-Hotel-layoutr-equirement-2902344175.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wow64log.dllJump to behavior
Yara signature matchShow sources
Source: 00000007.00000003.7951769000.0000000000469000.00000004.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000007.00000003.7952254516.000000000046B000.00000004.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000007.00000003.7952207557.000000000046B000.00000004.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000007.00000003.7952549270.0000000000470000.00000004.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000007.00000001.7948340542.0000000000418000.00000040.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000007.00000003.7951474845.0000000000461000.00000004.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000007.00000002.8665611369.0000000000400000.00000040.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000007.00000002.8665611369.0000000000400000.00000040.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 7.2.23Payment Advice-Hotel-layoutr-equirement-2902344175.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 7.2.23Payment Advice-Hotel-layoutr-equirement-2902344175.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 7.2.23Payment Advice-Hotel-layoutr-equirement-2902344175.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 7.2.23Payment Advice-Hotel-layoutr-equirement-2902344175.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 7.1.23Payment Advice-Hotel-layoutr-equirement-2902344175.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 7.1.23Payment Advice-Hotel-layoutr-equirement-2902344175.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Classification labelShow sources
Source: classification engineClassification label: mal84.phis.troj.spyw.evad.winEXE@8/1@0/1
Creates files inside the program directoryShow sources
Source: C:\Users\user\Desktop\23Payment Advice-Hotel-layoutr-equirement-2902344175.exeFile created: C:\Program Files\Microsoft DN1Jump to behavior
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\23Payment Advice-Hotel-layoutr-equirement-2902344175.exeFile created: C:\Users\user\AppData\Local\Microsoft Vision\Jump to behavior
Parts of this applications are using Borland Delphi (Probably coded in Delphi)Show sources
Source: C:\Users\user\Desktop\23Payment Advice-Hotel-layoutr-equirement-2902344175.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\23Payment Advice-Hotel-layoutr-equirement-2902344175.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Reads ini filesShow sources
Source: C:\Users\user\Desktop\23Payment Advice-Hotel-layoutr-equirement-2902344175.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\23Payment Advice-Hotel-layoutr-equirement-2902344175.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
SQL strings found in memory and binary dataShow sources
Source: 23Payment Advice-Hotel-layoutr-equirement-2902344175.exe, 00000007.00000003.8305657363.0000000000507000.00000004.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: 23Payment Advice-Hotel-layoutr-equirement-2902344175.exe, 00000007.00000003.8305657363.0000000000507000.00000004.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: 23Payment Advice-Hotel-layoutr-equirement-2902344175.exe, 00000007.00000003.8305657363.0000000000507000.00000004.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: 23Payment Advice-Hotel-layoutr-equirement-2902344175.exe, 00000007.00000003.8305657363.0000000000507000.00000004.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: 23Payment Advice-Hotel-layoutr-equirement-2902344175.exe, 00000007.00000003.8305657363.0000000000507000.00000004.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: 23Payment Advice-Hotel-layoutr-equirement-2902344175.exe, 00000007.00000003.8305657363.0000000000507000.00000004.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: 23Payment Advice-Hotel-layoutr-equirement-2902344175.exe, 00000007.00000003.8305657363.0000000000507000.00000004.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\23Payment Advice-Hotel-layoutr-equirement-2902344175.exe 'C:\Users\user\Desktop\23Payment Advice-Hotel-layoutr-equirement-2902344175.exe'
Source: unknownProcess created: C:\Users\user\Desktop\23Payment Advice-Hotel-layoutr-equirement-2902344175.exe 'C:\Users\user\Desktop\23Payment Advice-Hotel-layoutr-equirement-2902344175.exe'
Source: unknownProcess created: C:\Users\user\Desktop\23Payment Advice-Hotel-layoutr-equirement-2902344175.exe 'C:\Users\user\Desktop\23Payment Advice-Hotel-layoutr-equirement-2902344175.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: C:\Users\user\Desktop\23Payment Advice-Hotel-layoutr-equirement-2902344175.exeProcess created: C:\Users\user\Desktop\23Payment Advice-Hotel-layoutr-equirement-2902344175.exe 'C:\Users\user\Desktop\23Payment Advice-Hotel-layoutr-equirement-2902344175.exe' Jump to behavior
Source: C:\Users\user\Desktop\23Payment Advice-Hotel-layoutr-equirement-2902344175.exeProcess created: C:\Users\user\Desktop\23Payment Advice-Hotel-layoutr-equirement-2902344175.exe 'C:\Users\user\Desktop\23Payment Advice-Hotel-layoutr-equirement-2902344175.exe' Jump to behavior
Source: C:\Users\user\Desktop\23Payment Advice-Hotel-layoutr-equirement-2902344175.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exeJump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\23Payment Advice-Hotel-layoutr-equirement-2902344175.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62BE5D10-60EB-11d0-BD3B-00A0C911CE86}\InprocServer32Jump to behavior
Checks if Microsoft Office is installedShow sources
Source: C:\Users\user\Desktop\23Payment Advice-Hotel-layoutr-equirement-2902344175.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
Creates a directory in C:\Program FilesShow sources
Source: C:\Users\user\Desktop\23Payment Advice-Hotel-layoutr-equirement-2902344175.exeDirectory created: C:\Program Files\Microsoft DN1Jump to behavior
Submission file is bigger than most known malware samplesShow sources
Source: 23Payment Advice-Hotel-layoutr-equirement-2902344175.exeStatic file information: File size 1253890 > 1048576
Binary contains paths to debug symbolsShow sources
Source: Binary string: C:\Users\Tim\documents\visual studio 2010\Projects\sqlite\Release\sqlite3.pdb source: 23Payment Advice-Hotel-layoutr-equirement-2902344175.exe, 00000007.00000003.8305657363.0000000000507000.00000004.sdmp
Source: Binary string: C:\Users\Tim\documents\visual studio 2010\Projects\sqlite\Release\sqlite3.pdb source: 23Payment Advice-Hotel-layoutr-equirement-2902344175.exe, 00000007.00000003.8305657363.0000000000507000.00000004.sdmp

Hooking and other Techniques for Hiding and Protection:

barindex
Contains functionality to hide user accountsShow sources
Source: 23Payment Advice-Hotel-layoutr-equirement-2902344175.exe, 00000007.00000001.7948166555.0000000000400000.00000040.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: 23Payment Advice-Hotel-layoutr-equirement-2902344175.exe, 00000007.00000001.7948166555.0000000000400000.00000040.sdmpString found in binary or memory: SELECT * FROM logins.tmp\Google\Chrome\User Data\Default\Login DataSoftware\Microsoft\Windows\CurrentVersion\App Paths\Pathhttp://www.google.comhttp://5.206.225.104/dll/softokn3.dllhttp://5.206.225.104/dll/msvcp140.dllhttp://5.206.225.104/dll/mozglue.dllhttp://5.206.225.104/dll/vcruntime140.dllhttp://5.206.225.104/dll/freebl3.dllhttp://5.206.225.104/dll/nss3.dllsoftokn3.dllmsvcp140.dllmozglue.dllvcruntime140.dllfreebl3.dllnss3.dllmsvcr120.dllmsvcp120.dllmsvcpmsvcr.dllNSS_InitPK11_GetInternalKeySlotPK11_AuthenticatePK11SDR_DecryptNSSBase64_DecodeBufferPK11_CheckUserPasswordNSS_ShutdownPK11_FreeSlotPR_GetErrorvaultcli.dllVaultOpenVaultVaultCloseVaultVaultEnumerateItemsVaultGetItemVaultFreeInternet ExplorerProfilefirefox.exe\firefox.exe\Mozilla\Firefox\profiles.ini\logins.jsonencryptedUsernamehostnameencryptedPasswordthunderbird.exe\Thunderbird\Could not decryptAccount NameEmailPOP3 ServerPOP3 UserSMTP ServerPOP3 PasswordSMTP PasswordHTTP PasswordIMAP PasswordSoftware\Microsoft\Office\15.0Outlook\Profiles\Outlook

Malware Analysis System Evasion:

barindex
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)Show sources
Source: C:\Windows\SysWOW64\cmd.exeWindow / User API: threadDelayed 618Jump to behavior
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\23Payment Advice-Hotel-layoutr-equirement-2902344175.exe TID: 4476Thread sleep count: 112 > 30Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe TID: 3684Thread sleep count: 618 > 30Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe TID: 3684Thread sleep time: -7416000s >= -30000sJump to behavior
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\SysWOW64\cmd.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Queries a list of all running processesShow sources
Source: C:\Users\user\Desktop\23Payment Advice-Hotel-layoutr-equirement-2902344175.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Checks if the current process is being debuggedShow sources
Source: C:\Users\user\Desktop\23Payment Advice-Hotel-layoutr-equirement-2902344175.exeProcess queried: DebugFlagsJump to behavior
Source: C:\Users\user\Desktop\23Payment Advice-Hotel-layoutr-equirement-2902344175.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Users\user\Desktop\23Payment Advice-Hotel-layoutr-equirement-2902344175.exeProcess queried: DebugFlagsJump to behavior
Source: C:\Users\user\Desktop\23Payment Advice-Hotel-layoutr-equirement-2902344175.exeProcess queried: DebugObjectHandleJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Allocates memory in foreign processesShow sources
Source: C:\Users\user\Desktop\23Payment Advice-Hotel-layoutr-equirement-2902344175.exeMemory allocated: C:\Windows\SysWOW64\cmd.exe base: 3C0000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\23Payment Advice-Hotel-layoutr-equirement-2902344175.exeMemory allocated: C:\Windows\SysWOW64\cmd.exe base: 7F0000 protect: page read and writeJump to behavior
Creates a thread in another existing process (thread injection)Show sources
Source: C:\Users\user\Desktop\23Payment Advice-Hotel-layoutr-equirement-2902344175.exeThread created: C:\Windows\SysWOW64\cmd.exe EIP: 3C010EJump to behavior
Maps a DLL or memory area into another processShow sources
Source: C:\Users\user\Desktop\23Payment Advice-Hotel-layoutr-equirement-2902344175.exeSection loaded: unknown target pid: 4120 protection: execute and read and writeJump to behavior
Writes to foreign memory regionsShow sources
Source: C:\Users\user\Desktop\23Payment Advice-Hotel-layoutr-equirement-2902344175.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 3C0000Jump to behavior
Source: C:\Users\user\Desktop\23Payment Advice-Hotel-layoutr-equirement-2902344175.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 7F0000Jump to behavior
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\Desktop\23Payment Advice-Hotel-layoutr-equirement-2902344175.exeProcess created: C:\Users\user\Desktop\23Payment Advice-Hotel-layoutr-equirement-2902344175.exe 'C:\Users\user\Desktop\23Payment Advice-Hotel-layoutr-equirement-2902344175.exe' Jump to behavior
Source: C:\Users\user\Desktop\23Payment Advice-Hotel-layoutr-equirement-2902344175.exeProcess created: C:\Users\user\Desktop\23Payment Advice-Hotel-layoutr-equirement-2902344175.exe 'C:\Users\user\Desktop\23Payment Advice-Hotel-layoutr-equirement-2902344175.exe' Jump to behavior
Source: C:\Users\user\Desktop\23Payment Advice-Hotel-layoutr-equirement-2902344175.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exeJump to behavior
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: 23Payment Advice-Hotel-layoutr-equirement-2902344175.exe, 00000007.00000002.8666739053.0000000000C30000.00000002.sdmpBinary or memory string: Shell_TrayWnd
Source: 23Payment Advice-Hotel-layoutr-equirement-2902344175.exe, 00000007.00000002.8666739053.0000000000C30000.00000002.sdmpBinary or memory string: Progman
Source: 23Payment Advice-Hotel-layoutr-equirement-2902344175.exe, 00000007.00000002.8666739053.0000000000C30000.00000002.sdmpBinary or memory string: ZProgram Manager
Source: 23Payment Advice-Hotel-layoutr-equirement-2902344175.exe, 00000007.00000002.8666739053.0000000000C30000.00000002.sdmpBinary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Users\user\Desktop\23Payment Advice-Hotel-layoutr-equirement-2902344175.exeQueries volume information: C:\ VolumeInformationJump to behavior
Queries the cryptographic machine GUIDShow sources
Source: C:\Users\user\Desktop\23Payment Advice-Hotel-layoutr-equirement-2902344175.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Increases the number of concurrent connection per server for Internet ExplorerShow sources
Source: C:\Users\user\Desktop\23Payment Advice-Hotel-layoutr-equirement-2902344175.exeRegistry key created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings MaxConnectionsPerServer 10Jump to behavior

Stealing of Sensitive Information:

barindex
Tries to harvest and steal browser information (history, passwords, etc)Show sources
Source: C:\Users\user\Desktop\23Payment Advice-Hotel-layoutr-equirement-2902344175.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\xwt1js18.default\pkcs11.txtJump to behavior
Source: C:\Users\user\Desktop\23Payment Advice-Hotel-layoutr-equirement-2902344175.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\xwt1js18.default\cert9.dbJump to behavior
Source: C:\Users\user\Desktop\23Payment Advice-Hotel-layoutr-equirement-2902344175.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\xwt1js18.default\logins.jsonJump to behavior
Source: C:\Users\user\Desktop\23Payment Advice-Hotel-layoutr-equirement-2902344175.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
Source: C:\Users\user\Desktop\23Payment Advice-Hotel-layoutr-equirement-2902344175.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
Source: C:\Users\user\Desktop\23Payment Advice-Hotel-layoutr-equirement-2902344175.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\xwt1js18.default\key4.dbJump to behavior
Tries to steal Mail credentials (via file access)Show sources
Source: C:\Users\user\Desktop\23Payment Advice-Hotel-layoutr-equirement-2902344175.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 123514 Sample: 23Payment Advice-Hotel-layoutr-equirement-2902344175.exe Startdate: 15/04/2019 Architecture: WINDOWS Score: 84 24 Contains functionality to hide user accounts 2->24 26 Initial sample is a PE file and has a suspicious name 2->26 28 Detected TCP or UDP traffic on non-standard ports 2->28 30 Antivirus and Machine Learning detection for unpacked file 2->30 9 23Payment Advice-Hotel-layoutr-equirement-2902344175.exe 2->9         started        process3 signatures4 32 Maps a DLL or memory area into another process 9->32 12 23Payment Advice-Hotel-layoutr-equirement-2902344175.exe 9->12         started        process5 process6 14 23Payment Advice-Hotel-layoutr-equirement-2902344175.exe 3 3 12->14         started        dnsIp7 22 185.234.218.225, 49833, 5200 unknown Poland 14->22 34 Tries to steal Mail credentials (via file access) 14->34 36 Tries to harvest and steal browser information (history, passwords, etc) 14->36 38 Writes to foreign memory regions 14->38 42 3 other signatures 14->42 18 cmd.exe 1 14->18         started        signatures8 40 Detected TCP or UDP traffic on non-standard ports 22->40 process9 process10 20 conhost.exe 18->20         started       

Simulations

Behavior and APIs

TimeTypeDescription
22:38:30API Interceptor620x Sleep call for process: cmd.exe modified

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
7.2.23Payment Advice-Hotel-layoutr-equirement-2902344175.exe.400000.0.unpack100%AviraTR/RedCap.ghjptDownload File
7.1.23Payment Advice-Hotel-layoutr-equirement-2902344175.exe.400000.0.unpack100%AviraTR/RedCap.ghjptDownload File

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

SourceRuleDescriptionAuthor
00000007.00000003.7951769000.0000000000469000.00000004.sdmpCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
00000007.00000003.7952254516.000000000046B000.00000004.sdmpCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
00000007.00000003.7952207557.000000000046B000.00000004.sdmpCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
00000007.00000003.7952549270.0000000000470000.00000004.sdmpCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
00000007.00000001.7948340542.0000000000418000.00000040.sdmpCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
00000007.00000003.7951474845.0000000000461000.00000004.sdmpCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
00000007.00000002.8665611369.0000000000400000.00000040.sdmpCodoso_Gh0st_2Detects Codoso APT Gh0st MalwareFlorian Roth
00000007.00000002.8665611369.0000000000400000.00000040.sdmpCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth

Unpacked PEs

SourceRuleDescriptionAuthor
7.2.23Payment Advice-Hotel-layoutr-equirement-2902344175.exe.400000.0.raw.unpackCodoso_Gh0st_2Detects Codoso APT Gh0st MalwareFlorian Roth
7.2.23Payment Advice-Hotel-layoutr-equirement-2902344175.exe.400000.0.raw.unpackCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
7.2.23Payment Advice-Hotel-layoutr-equirement-2902344175.exe.400000.0.unpackCodoso_Gh0st_2Detects Codoso APT Gh0st MalwareFlorian Roth
7.2.23Payment Advice-Hotel-layoutr-equirement-2902344175.exe.400000.0.unpackCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
7.1.23Payment Advice-Hotel-layoutr-equirement-2902344175.exe.400000.0.unpackCodoso_Gh0st_2Detects Codoso APT Gh0st MalwareFlorian Roth
7.1.23Payment Advice-Hotel-layoutr-equirement-2902344175.exe.400000.0.unpackCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
185.234.218.22529Payment Advice-Hotel-layoutr-equirement-2902344175.exeGet hashmaliciousBrowse

    Domains

    No context

    ASN

    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
    unknownrequest.docGet hashmaliciousBrowse
    • 192.168.0.44
    FERK444259.docGet hashmaliciousBrowse
    • 192.168.0.44
    b392e93a5753601db564e6f2dc6a945aac3861bc31e2c1e5e7f3cd4e5bb150a4.jsGet hashmaliciousBrowse
    • 192.168.0.40
    Setup.exeGet hashmaliciousBrowse
    • 192.168.0.40
    base64.pdfGet hashmaliciousBrowse
    • 192.168.0.40
    file.pdfGet hashmaliciousBrowse
    • 192.168.0.40
    Spread sheet 2.pdfGet hashmaliciousBrowse
    • 192.168.0.40
    request_08.30.docGet hashmaliciousBrowse
    • 192.168.0.44
    P_2038402.xlsxGet hashmaliciousBrowse
    • 192.168.0.44
    48b1cf747a678641566cd1778777ca72.apkGet hashmaliciousBrowse
    • 192.168.0.22
    seu nome na lista de favorecidos.exeGet hashmaliciousBrowse
    • 192.168.0.40
    Adm_Boleto.via2.comGet hashmaliciousBrowse
    • 192.168.0.40
    QuitacaoVotorantim345309.exeGet hashmaliciousBrowse
    • 192.168.0.40
    pptxb.pdfGet hashmaliciousBrowse
    • 192.168.0.40

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.