Edit tour
Windows
Analysis Report
SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exe
Overview
General Information
Detection
Glupteba, PureLog Stealer, zgRAT
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Yara detected AntiVM3
Yara detected Glupteba
Yara detected PureLog Stealer
Yara detected UAC Bypass using CMSTP
Yara detected zgRAT
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
Creates HTML files with .exe extension (expired dropper behavior)
Disable Windows Defender real time protection (registry)
Disables UAC (registry)
Disables Windows Defender (deletes autostart)
Drops PE files to the document folder of the user
Drops script or batch files to the startup folder
Exclude list of file types from scheduled, custom, and real-time scanning
Found Tor onion address
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Modifies Group Policy settings
PE file contains section with special chars
Sample uses process hollowing technique
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Creates or modifies windows services
Detected potential crypto function
Drops PE files
Enables debug privileges
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file does not import any functions
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Windows Defender Exclusions Added - Registry
Stores files to the Windows start menu directory
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
- SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exe (PID: 7412 cmdline:
"C:\Users\ user\Deskt op\Securit eInfo.com. Win64.Cryp terX-gen.2 144.26023. exe" MD5: E1D8325B086F91769120381B78626E2E) - powershell.exe (PID: 7484 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" Add-MpPref erence -Ex clusionPat h "C:\User s\user\Des ktop\Secur iteInfo.co m.Win64.Cr ypterX-gen .2144.2602 3.exe" -Fo rce MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7492 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - WmiPrvSE.exe (PID: 7964 cmdline:
C:\Windows \system32\ wbem\wmipr vse.exe -s ecured -Em bedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51) - CasPol.exe (PID: 7520 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Cas Pol.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B) - JPl4ZLOvy3fY5RSXGk5s9Gl5.exe (PID: 7912 cmdline:
"C:\Users\ user\Pictu res\JPl4ZL Ovy3fY5RSX Gk5s9Gl5.e xe" MD5: 3A4982B7D2352FB3089C01B9F33C25EB) - JIsbjewlnghreiCB15kllzTk.exe (PID: 7992 cmdline:
"C:\Users\ user\Pictu res\JIsbje wlnghreiCB 15kllzTk.e xe" MD5: 281F44C8C6F0CFBC293E1FDB8B3EE782) - 7ifrWkUACu1QmnINWqs0eu9h.exe (PID: 8008 cmdline:
"C:\Users\ user\Pictu res\7ifrWk UACu1QmnIN Wqs0eu9h.e xe" MD5: 281F44C8C6F0CFBC293E1FDB8B3EE782) - T2RIU3FpH6dczIGTG32vuvvE.exe (PID: 8100 cmdline:
"C:\Users\ user\Pictu res\T2RIU3 FpH6dczIGT G32vuvvE.e xe" --sile nt --allus ers=0 MD5: EF199316DF30CB4E02F45F156EC63A9A) - T2RIU3FpH6dczIGTG32vuvvE.exe (PID: 8168 cmdline:
C:\Users\u ser\Pictur es\T2RIU3F pH6dczIGTG 32vuvvE.ex e --type=c rashpad-ha ndler /pre fetch:4 -- monitor-se lf-annotat ion=ptype= crashpad-h andler "-- database=C :\Users\us er\AppData \Roaming\O pera Softw are\Opera Stable\Cra sh Reports " "--crash -count-fil e=C:\Users \user\AppD ata\Roamin g\Opera So ftware\Ope ra Stable\ crash_coun t.txt" --u rl=https:/ /crashstat s-collecto r.opera.co m/collecto r/submit - -annotatio n=channel= Stable --a nnotation= plat=Win32 --annotat ion=prod=O peraDeskto p --annota tion=ver=1 09.0.5097. 45 --initi al-client- data=0x298 ,0x29c,0x2 a0,0x274,0 x2bc,0x6c6 0e1d0,0x6c 60e1dc,0x6 c60e1e8 MD5: EF199316DF30CB4E02F45F156EC63A9A) - T2RIU3FpH6dczIGTG32vuvvE.exe (PID: 5740 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\.opera \Opera Ins taller Tem p\T2RIU3Fp H6dczIGTG3 2vuvvE.exe " --versio n MD5: EF199316DF30CB4E02F45F156EC63A9A) - KI5P6OyhHMwNaNA4w0xtd3UY.exe (PID: 8124 cmdline:
"C:\Users\ user\Pictu res\KI5P6O yhHMwNaNA4 w0xtd3UY.e xe" MD5: A25CDF843E60F609B970AC9414170A7A) - XEAazEoSTmJSOa66cXm6S07v.exe (PID: 2668 cmdline:
"C:\Users\ user\Pictu res\XEAazE oSTmJSOa66 cXm6S07v.e xe" MD5: 3A4982B7D2352FB3089C01B9F33C25EB) - QHuPF3k4no0JL9DdGqDYtkCG.exe (PID: 6480 cmdline:
"C:\Users\ user\Pictu res\QHuPF3 k4no0JL9Dd GqDYtkCG.e xe" MD5: 281F44C8C6F0CFBC293E1FDB8B3EE782) - Yz2gr4IqEnTCH1g642bo4hrO.exe (PID: 7016 cmdline:
"C:\Users\ user\Pictu res\Yz2gr4 IqEnTCH1g6 42bo4hrO.e xe" MD5: 281F44C8C6F0CFBC293E1FDB8B3EE782) - 3wiDjAuNAMEeKc2Sp8AJvkHN.exe (PID: 7300 cmdline:
"C:\Users\ user\Pictu res\3wiDjA uNAMEeKc2S p8AJvkHN.e xe" MD5: A25CDF843E60F609B970AC9414170A7A) - syLcQZGPHHUJ3M0wbg0XxQZf.exe (PID: 5496 cmdline:
"C:\Users\ user\Pictu res\syLcQZ GPHHUJ3M0w bg0XxQZf.e xe" --sile nt --allus ers=0 MD5: C2F0D0D1B405D1F1476B802BE5DD2ED3) - syLcQZGPHHUJ3M0wbg0XxQZf.exe (PID: 8040 cmdline:
C:\Users\u ser\Pictur es\syLcQZG PHHUJ3M0wb g0XxQZf.ex e --type=c rashpad-ha ndler /pre fetch:4 -- monitor-se lf-annotat ion=ptype= crashpad-h andler "-- database=C :\Users\us er\AppData \Roaming\O pera Softw are\Opera Stable\Cra sh Reports " "--crash -count-fil e=C:\Users \user\AppD ata\Roamin g\Opera So ftware\Ope ra Stable\ crash_coun t.txt" --u rl=https:/ /crashstat s-collecto r.opera.co m/collecto r/submit - -annotatio n=channel= Stable --a nnotation= plat=Win32 --annotat ion=prod=O peraDeskto p --annota tion=ver=1 09.0.5097. 45 --initi al-client- data=0x298 ,0x29c,0x2 a0,0x274,0 x2a4,0x6bf 8e1d0,0x6b f8e1dc,0x6 bf8e1e8 MD5: C2F0D0D1B405D1F1476B802BE5DD2ED3) - wjaGPzkDQjpdcbjBR9AwSFKW.exe (PID: 8044 cmdline:
"C:\Users\ user\Pictu res\wjaGPz kDQjpdcbjB R9AwSFKW.e xe" MD5: 5D5DA0738299D8893B79A6C926765E5F) - Install.exe (PID: 6740 cmdline:
.\Install. exe /sQwdi dHh "38511 8" /S MD5: E77964E011D8880EAE95422769249CA4) - SU1be6oqYDorLkUc1l6IPPFB.exe (PID: 7896 cmdline:
"C:\Users\ user\Pictu res\SU1be6 oqYDorLkUc 1l6IPPFB.e xe" MD5: 3A4982B7D2352FB3089C01B9F33C25EB) - Vh2fqCjm9jPtwuJrcfbbwxLj.exe (PID: 7660 cmdline:
"C:\Users\ user\Pictu res\Vh2fqC jm9jPtwuJr cfbbwxLj.e xe" MD5: 281F44C8C6F0CFBC293E1FDB8B3EE782) - PqdYh9kiVSkf3FjC9RDfcS2e.exe (PID: 7768 cmdline:
"C:\Users\ user\Pictu res\PqdYh9 kiVSkf3FjC 9RDfcS2e.e xe" MD5: 281F44C8C6F0CFBC293E1FDB8B3EE782) - 0XytwVHS3WE9jtGuuRid6GiP.exe (PID: 7216 cmdline:
"C:\Users\ user\Pictu res\0XytwV HS3WE9jtGu uRid6GiP.e xe" --sile nt --allus ers=0 MD5: CD54757EAFA70E59850F77982FAFCB49) - 0XytwVHS3WE9jtGuuRid6GiP.exe (PID: 4476 cmdline:
C:\Users\u ser\Pictur es\0XytwVH S3WE9jtGuu Rid6GiP.ex e --type=c rashpad-ha ndler /pre fetch:4 -- monitor-se lf-annotat ion=ptype= crashpad-h andler "-- database=C :\Users\us er\AppData \Roaming\O pera Softw are\Opera Stable\Cra sh Reports " "--crash -count-fil e=C:\Users \user\AppD ata\Roamin g\Opera So ftware\Ope ra Stable\ crash_coun t.txt" --u rl=https:/ /crashstat s-collecto r.opera.co m/collecto r/submit - -annotatio n=channel= Stable --a nnotation= plat=Win32 --annotat ion=prod=O peraDeskto p --annota tion=ver=1 09.0.5097. 45 --initi al-client- data=0x29c ,0x2a0,0x2 a4,0x278,0 x2a8,0x6b0 de1d0,0x6b 0de1dc,0x6 b0de1e8 MD5: CD54757EAFA70E59850F77982FAFCB49) - 0XytwVHS3WE9jtGuuRid6GiP.exe (PID: 2764 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\.opera \Opera Ins taller Tem p\0XytwVHS 3WE9jtGuuR id6GiP.exe " --versio n MD5: CD54757EAFA70E59850F77982FAFCB49) - mm4Q31XfpYKjbn6ceSwXhER9.exe (PID: 1068 cmdline:
"C:\Users\ user\Pictu res\mm4Q31 XfpYKjbn6c eSwXhER9.e xe" MD5: 3A4982B7D2352FB3089C01B9F33C25EB) - GGlApx2WKpOBsEMsKqplE6Uf.exe (PID: 5780 cmdline:
"C:\Users\ user\Pictu res\GGlApx 2WKpOBsEMs KqplE6Uf.e xe" MD5: A25CDF843E60F609B970AC9414170A7A) - 1HakjlIwxygCinOPkQfhRxwL.exe (PID: 3852 cmdline:
"C:\Users\ user\Pictu res\1Hakjl IwxygCinOP kQfhRxwL.e xe" MD5: 281F44C8C6F0CFBC293E1FDB8B3EE782) - F6G6Y5cEUOHQw9dTwu4nNoIO.exe (PID: 5472 cmdline:
"C:\Users\ user\Pictu res\F6G6Y5 cEUOHQw9dT wu4nNoIO.e xe" MD5: 281F44C8C6F0CFBC293E1FDB8B3EE782) - kuRSiZPmKhbW1guMqYXCvrAu.exe (PID: 6404 cmdline:
"C:\Users\ user\Pictu res\kuRSiZ PmKhbW1guM qYXCvrAu.e xe" --sile nt --allus ers=0 MD5: B1D3A17EDD5DACC6B98BEC740C1B4A2F) - kBnX25PRDA3FRCf96qRj6qpV.exe (PID: 7052 cmdline:
"C:\Users\ user\Pictu res\kBnX25 PRDA3FRCf9 6qRj6qpV.e xe" MD5: A25CDF843E60F609B970AC9414170A7A) - CasPol.exe (PID: 7540 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Cas Pol.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B) - WerFault.exe (PID: 7716 cmdline:
C:\Windows \system32\ WerFault.e xe -u -p 7 412 -s 115 6 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
- svchost.exe (PID: 7572 cmdline:
C:\Windows \System32\ svchost.ex e -k WerSv cGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - WerFault.exe (PID: 7668 cmdline:
C:\Windows \system32\ WerFault.e xe -pss -s 208 -p 74 12 -ip 741 2 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
- cmd.exe (PID: 7692 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\User s\user\App Data\Roami ng\Microso ft\Windows \Start Men u\Programs \Startup\5 me5kJjaX6n Su3LrmZClh T87.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7708 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - oE07FMGKijbqRxoSOEfcVNr4.exe (PID: 7856 cmdline:
"C:\Users\ user\AppDa ta\Local\o E07FMGKijb qRxoSOEfcV Nr4.exe" MD5: 281F44C8C6F0CFBC293E1FDB8B3EE782)
- svchost.exe (PID: 5052 cmdline:
C:\Windows \system32\ svchost.ex e -k Local SystemNetw orkRestric ted -p -s fhsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- svchost.exe (PID: 3104 cmdline:
C:\Windows \System32\ svchost.ex e -k NetSv cs -p -s N caSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- svchost.exe (PID: 1308 cmdline:
C:\Windows \system32\ svchost.ex e -k Local SystemNetw orkRestric ted -s WPD BusEnum MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Glupteba | Glupteba is a trojan horse malware that is one of the top ten malware variants of 2021. After infecting a system, the Glupteba malware can be used to deliver additional malware, steal user authentication information, and enroll the infected system in a cryptomining botnet. | No Attribution |
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
zgRAT | zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on. | No Attribution |
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_zgRAT_1 | Yara detected zgRAT | Joe Security | ||
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
MALWARE_Win_zgRAT | Detects zgRAT | ditekSHen |
| |
JoeSecurity_DelphiSystemParamCount | Detected Delphi use of System.ParamCount() | Joe Security | ||
JoeSecurity_DelphiSystemParamCount | Detected Delphi use of System.ParamCount() | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
Windows_Trojan_RedLineStealer_ed346e4c | unknown | unknown |
| |
Windows_Trojan_Smokeloader_3687686f | unknown | unknown |
| |
Windows_Trojan_Smokeloader_3687686f | unknown | unknown |
| |
JoeSecurity_Glupteba | Yara detected Glupteba | Joe Security | ||
Windows_Trojan_RedLineStealer_ed346e4c | unknown | unknown |
| |
Click to see the 12 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
JoeSecurity_Glupteba | Yara detected Glupteba | Joe Security | ||
JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
JoeSecurity_Glupteba | Yara detected Glupteba | Joe Security | ||
Click to see the 1 entries |
System Summary |
---|
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: Christian Burkard (Nextron Systems): |
Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): |
Source: | Author: vburov: |
Data Obfuscation |
---|
Source: | Author: Joe Security: |
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: |
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: |
Exploits |
---|
Source: | File source: | ||
Source: | File source: |
Bitcoin Miner |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Compliance |
---|
Source: | Unpacked PE file: | ||
Source: | Unpacked PE file: | ||
Source: | Unpacked PE file: |
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: |
Source: | File opened: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |