Edit tour
Windows
Analysis Report
9NBx4Vmiuj.exe
Overview
General Information
Sample name: | 9NBx4Vmiuj.exerenamed because original name is a hash value |
Original sample name: | 1d562eaa3e33451a40f60c976c6f4bc0.exe |
Analysis ID: | 1416004 |
MD5: | 1d562eaa3e33451a40f60c976c6f4bc0 |
SHA1: | de0f3e027e12162388ec953936857f06b71487ca |
SHA256: | dde68755fa515158e01e3e8f2b90772dc86e25b7e2684fc5066a5e33ee22b614 |
Tags: | 64exetrojan |
Infos: | |
Detection
PureLog Stealer, XWorm, zgRAT
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected AntiVM3
Yara detected PureLog Stealer
Yara detected Telegram RAT
Yara detected XWorm
Yara detected zgRAT
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
Connects to many ports of the same IP (likely port scanning)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Protects its processes via BreakOnTermination flag
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Yara detected PersistenceViaHiddenTask
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates COM task schedule object (often to register a task for autostart)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file does not import any functions
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara signature match
Classification
- System is w10x64
- 9NBx4Vmiuj.exe (PID: 7060 cmdline:
"C:\Users\ user\Deskt op\9NBx4Vm iuj.exe" MD5: 1D562EAA3E33451A40F60C976C6F4BC0)
- TypeId.exe (PID: 1248 cmdline:
C:\Users\u ser\AppDat a\Roaming\ AuditRuleT ype\TypeId .exe MD5: 1D562EAA3E33451A40F60C976C6F4BC0) - RegSvcs.exe (PID: 348 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\Re gSvcs.exe MD5: DC67ADE51149EC0C373A379473895BA1) - btjxg.exe (PID: 1784 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\btjxg. exe" MD5: 2649EF15CF6004B05C80ABD825CD594E) - powershell.exe (PID: 2284 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -Execution Policy Byp ass Add-Mp Preference -Exclusio nPath 'C:\ Users\user \AppData\L ocal\Temp\ btjxg.exe' MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 5544 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7444 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -Execution Policy Byp ass Add-Mp Preference -Exclusio nProcess ' btjxg.exe' MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7452 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7704 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -Execution Policy Byp ass Add-Mp Preference -Exclusio nPath 'C:\ ProgramDat a\btjxg.ex e' MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7712 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- TypeId.exe (PID: 7224 cmdline:
C:\Users\u ser\AppDat a\Roaming\ AuditRuleT ype\TypeId .exe MD5: 1D562EAA3E33451A40F60C976C6F4BC0)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
XWorm | Malware with wide range of capabilities ranging from RAT to ransomware. | No Attribution |
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
zgRAT | zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on. | No Attribution |
{"C2 url": "https://api.telegram.org/bot5498061286:AAEOFPFhizSA_AbkzDV_OWcHlXVsegPpL_c/sendMessage"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_XWorm | Yara detected XWorm | Joe Security | ||
JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
| |
JoeSecurity_XWorm | Yara detected XWorm | Joe Security | ||
JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
Click to see the 1 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
JoeSecurity_PersistenceViaHiddenTask | Yara detected PersistenceViaHiddenTask | Joe Security | ||
JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
Click to see the 39 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
Click to see the 64 entries |
System Summary |
---|
Source: | Author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems): |
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): |
Source: | Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: |
Source: | Author: frack113: |
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): |
Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): |
Timestamp: | 03/26/24-18:25:18.899869 |
SID: | 2852870 |
Source Port: | 8081 |
Destination Port: | 49797 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira: |
Source: | URL Reputation: | ||
Source: | Avira URL Cloud: |
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: |
Source: | Malware Configuration Extractor: |
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: |
Source: | ReversingLabs: |
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: |
Source: | Joe Sandbox ML: |
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: |
Source: | HTTPS traffic detected: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior |
Networking |
---|
Source: | Snort IDS: |
Source: | TCP traffic: |
Source: | DNS query: |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | TCP traffic: | ||
Source: | TCP traffic: |
Source: | HTTP traffic detected: |