Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
zn7j8Etem5.exe

Overview

General Information

Sample name:zn7j8Etem5.exe
renamed because original name is a hash value
Original sample name:f72f063babd357ccdc6c346191a305b9.exe
Analysis ID:1402164
MD5:f72f063babd357ccdc6c346191a305b9
SHA1:a7794664194a9087cbf9114d0c33bb88e9ceacc9
SHA256:c90d23214088641431d2a93b6e3dfa26e6f5149bc8028449b7ce2f8edb2a6dd3
Tags:exe
Infos:

Detection

Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Creates a process in suspended mode (likely to inject code)
Enables debug privileges
IP address seen in connection with other malware
May check the online IP address of the machine
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Tries to load missing DLLs
Yara detected Credential Stealer

Classification

  • System is w10x64
  • zn7j8Etem5.exe (PID: 6856 cmdline: C:\Users\user\Desktop\zn7j8Etem5.exe MD5: F72F063BABD357CCDC6C346191A305B9)
    • conhost.exe (PID: 6884 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WMIC.exe (PID: 6012 cmdline: wmic cpu get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
    • WMIC.exe (PID: 7136 cmdline: wmic path win32_VideoController get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
00000000.00000002.1687761523.000000C000092000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    Process Memory Space: zn7j8Etem5.exe PID: 6856JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      No Sigma rule has matched
      No Snort rule has matched

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Source: zn7j8Etem5.exeVirustotal: Detection: 26%Perma Link
      Source: zn7j8Etem5.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
      Source: Joe Sandbox ViewIP Address: 34.117.186.192 34.117.186.192
      Source: Joe Sandbox ViewIP Address: 34.117.186.192 34.117.186.192
      Source: unknownDNS query: name: ipinfo.io
      Source: unknownDNS query: name: ipinfo.io
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: ipinfo.ioUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
      Source: unknownDNS traffic detected: queries for: ipinfo.io
      Source: zn7j8Etem5.exe, 00000000.00000002.1687761523.000000C00010C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ipinfo.iohttp/1.1Y
      Source: zn7j8Etem5.exe, 00000000.00000002.1687761523.000000C00010C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ipinfo.iohttp/1.1Yipinfo.io:80HTTP_PROYHTTP_PROXYHTTP_PROXYhttp_proxyHTTPS_PRNO_PROXYHTTPS_PR
      Source: zn7j8Etem5.exe, 00000000.00000002.1689211391.000000C000310000.00000004.00001000.00020000.00000000.sdmp, CfBCRUfD.dat.0.dr, zmDmyEGJ.dat.0.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
      Source: zn7j8Etem5.exe, 00000000.00000002.1689211391.000000C000310000.00000004.00001000.00020000.00000000.sdmp, CfBCRUfD.dat.0.dr, zmDmyEGJ.dat.0.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
      Source: zn7j8Etem5.exe, 00000000.00000002.1689211391.000000C000310000.00000004.00001000.00020000.00000000.sdmp, CfBCRUfD.dat.0.dr, zmDmyEGJ.dat.0.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
      Source: zn7j8Etem5.exe, 00000000.00000002.1689211391.000000C000310000.00000004.00001000.00020000.00000000.sdmp, CfBCRUfD.dat.0.dr, zmDmyEGJ.dat.0.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
      Source: zn7j8Etem5.exe, 00000000.00000002.1689211391.000000C000310000.00000004.00001000.00020000.00000000.sdmp, CfBCRUfD.dat.0.dr, zmDmyEGJ.dat.0.drString found in binary or memory: https://duckduckgo.com/ac/?q=
      Source: zn7j8Etem5.exe, 00000000.00000002.1689211391.000000C000310000.00000004.00001000.00020000.00000000.sdmp, CfBCRUfD.dat.0.dr, zmDmyEGJ.dat.0.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
      Source: zn7j8Etem5.exe, 00000000.00000002.1689211391.000000C000310000.00000004.00001000.00020000.00000000.sdmp, CfBCRUfD.dat.0.dr, zmDmyEGJ.dat.0.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
      Source: zn7j8Etem5.exe, 00000000.00000002.1687761523.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, zn7j8Etem5.exe, 00000000.00000002.1687761523.000000C000110000.00000004.00001000.00020000.00000000.sdmp, zn7j8Etem5.exe, 00000000.00000002.1689211391.000000C0001CC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/missingauth
      Source: zn7j8Etem5.exe, 00000000.00000002.1687761523.000000C00000E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/missingauthreflect.Value.SetMapIndex
      Source: zn7j8Etem5.exe, 00000000.00000002.1687761523.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, system.txt.0.drString found in binary or memory: https://t.me/Planet_Stealer
      Source: zn7j8Etem5.exe, 00000000.00000002.1689211391.000000C000310000.00000004.00001000.00020000.00000000.sdmp, CfBCRUfD.dat.0.dr, zmDmyEGJ.dat.0.drString found in binary or memory: https://www.ecosia.org/newtab/
      Source: zn7j8Etem5.exe, 00000000.00000002.1689211391.000000C000310000.00000004.00001000.00020000.00000000.sdmp, CfBCRUfD.dat.0.dr, zmDmyEGJ.dat.0.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
      Source: C:\Users\user\Desktop\zn7j8Etem5.exeSection loaded: winmm.dllJump to behavior
      Source: C:\Users\user\Desktop\zn7j8Etem5.exeSection loaded: powrprof.dllJump to behavior
      Source: C:\Users\user\Desktop\zn7j8Etem5.exeSection loaded: umpdc.dllJump to behavior
      Source: C:\Users\user\Desktop\zn7j8Etem5.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Users\user\Desktop\zn7j8Etem5.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\zn7j8Etem5.exeSection loaded: netapi32.dllJump to behavior
      Source: C:\Users\user\Desktop\zn7j8Etem5.exeSection loaded: wkscli.dllJump to behavior
      Source: C:\Users\user\Desktop\zn7j8Etem5.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Users\user\Desktop\zn7j8Etem5.exeSection loaded: samcli.dllJump to behavior
      Source: C:\Users\user\Desktop\zn7j8Etem5.exeSection loaded: samlib.dllJump to behavior
      Source: C:\Users\user\Desktop\zn7j8Etem5.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\zn7j8Etem5.exeSection loaded: dhcpcsvc6.dllJump to behavior
      Source: C:\Users\user\Desktop\zn7j8Etem5.exeSection loaded: dhcpcsvc.dllJump to behavior
      Source: C:\Users\user\Desktop\zn7j8Etem5.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Users\user\Desktop\zn7j8Etem5.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\Desktop\zn7j8Etem5.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Users\user\Desktop\zn7j8Etem5.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Users\user\Desktop\zn7j8Etem5.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\zn7j8Etem5.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dllJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dllJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dllJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dllJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dllJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dllJump to behavior
      Source: classification engineClassification label: mal52.spyw.winEXE@6/10@1/1
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6884:120:WilError_03
      Source: C:\Users\user\Desktop\zn7j8Etem5.exeFile created: C:\Users\user\AppData\Local\Temp\system.txtJump to behavior
      Source: C:\Users\user\Desktop\zn7j8Etem5.exeFile opened: C:\Windows\system32\4ae220c5fa8c765e3a9949e9de9ee9081cfb9cd05aba4f7df953ec55563d3ae1AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR
      Source: C:\Users\user\Desktop\zn7j8Etem5.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: zn7j8Etem5.exe, 00000000.00000002.1687761523.000000C0000FA000.00000004.00001000.00020000.00000000.sdmp, zn7j8Etem5.exe, 00000000.00000002.1691044965.000001CCB9EF5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT a11,a102 FROM nssPrivate;
      Source: zn7j8Etem5.exe, 00000000.00000002.1692240639.00007FF605E87000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
      Source: zn7j8Etem5.exe, 00000000.00000002.1692240639.00007FF605E87000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
      Source: zn7j8Etem5.exe, 00000000.00000002.1692240639.00007FF605E87000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
      Source: zn7j8Etem5.exe, 00000000.00000002.1692240639.00007FF605E87000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
      Source: zn7j8Etem5.exe, 00000000.00000002.1692240639.00007FF605E87000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
      Source: zn7j8Etem5.exe, 00000000.00000002.1687761523.000000C0000FA000.00000004.00001000.00020000.00000000.sdmp, zn7j8Etem5.exe, 00000000.00000002.1689211391.000000C000236000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: select name, value FROM autofillselect name, value FROM autofillPRAGMA busy_timeout = 5000;
      Source: zn7j8Etem5.exe, 00000000.00000002.1692240639.00007FF605E87000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
      Source: zn7j8Etem5.exe, 00000000.00000002.1692240639.00007FF605E87000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
      Source: zn7j8Etem5.exe, 00000000.00000002.1689211391.000000C0002E7000.00000004.00001000.00020000.00000000.sdmp, zn7j8Etem5.exe, 00000000.00000003.1684758439.000001CCFFB25000.00000004.00000020.00020000.00000000.sdmp, rbmdPfoF.dat.0.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
      Source: zn7j8Etem5.exe, 00000000.00000002.1689211391.000000C000236000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: select name, value FROM autofillselect name, value FROM autofillPRAGMA busy_timeout = 5000;PRAGMA locking_mode = %s;PRAGMA locking_mode = NORMAL;PRAGMA synchronous = NORMAL;C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnC:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljC:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaC:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoC:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphC:\Users\user\AppData\Local\Temp\Cookies\chrome-default.txtC:\Users\user\AppData\Local\Temp\Cookies\chrome-default.txtC:\Users\user\AppData\Local\Temp\Cookies\chrome-default.txtsupport.microsoft.comTRUE/FALSE13340887735359381.AspNetCore.Correlation.mdRqPJxLbpyv7vX0eK9YkTR-xwcrW3VBLE4Y3HEvxuUN
      Source: zn7j8Etem5.exe, 00000000.00000002.1687761523.000000C000086000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cardsC:\Users\user\AppData\Local\Amigo\User DataC:\Users\user\AppData\Local\Torch\User DataC:\Users\user\AppData\Local\Vivaldi\User DataC:\Users\user\AppData\Local\Orbitum\User DataC:\Users\user\AppData\Local\Kometa\User DataC:\Users\user\AppData\Local\Iridium\User DataPRAGMA synchronous = NORMAL;;pData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release
      Source: zn7j8Etem5.exe, 00000000.00000002.1692240639.00007FF605E87000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
      Source: zn7j8Etem5.exeVirustotal: Detection: 26%
      Source: unknownProcess created: C:\Users\user\Desktop\zn7j8Etem5.exe C:\Users\user\Desktop\zn7j8Etem5.exe
      Source: C:\Users\user\Desktop\zn7j8Etem5.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\zn7j8Etem5.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic cpu get name
      Source: C:\Users\user\Desktop\zn7j8Etem5.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
      Source: C:\Users\user\Desktop\zn7j8Etem5.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic cpu get nameJump to behavior
      Source: C:\Users\user\Desktop\zn7j8Etem5.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get nameJump to