Edit tour
Windows
Analysis Report
SecuriteInfo.com.Program.Unwanted.5412.9308.3353.exe
Overview
General Information
Detection
PureLog Stealer
Score: | 46 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Snort IDS alert for network traffic
Yara detected PureLog Stealer
.NET source code contains method to dynamically call methods (often used by packers)
Detected potential unwanted application
Excessive usage of taskkill to terminate processes
Modifies Internet Explorer zone settings
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Reads the Security eventlog
Reads the System eventlog
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains long sleeps (>= 3 min)
Creates COM task schedule object (often to register a task for autostart)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Stores large binary data to the registry
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Uses taskkill to terminate processes
Uses the system / local time for branch decision (may execute only at specific dates)
Classification
- System is w10x64
- SecuriteInfo.com.Program.Unwanted.5412.9308.3353.exe (PID: 4524 cmdline:
"C:\Users\ user\Deskt op\Securit eInfo.com. Program.Un wanted.541 2.9308.335 3.exe" MD5: 630EAF6B2CD6A3D86A3575F746A660EA) - SecuriteInfo.com.Program.Unwanted.5412.9308.3353.tmp (PID: 1248 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\is-FD3 PS.tmp\Sec uriteInfo. com.Progra m.Unwanted .5412.9308 .3353.tmp" /SL5="$10 474,140090 33,878592, C:\Users\u ser\Deskto p\Securite Info.com.P rogram.Unw anted.5412 .9308.3353 .exe" MD5: C587F58BA1C48D1EF273A4B9F9E1CEAC) - taskkill.exe (PID: 6352 cmdline:
"C:\Window s\System32 \taskkill. exe" /f /i m "RBClien tService.e xe" MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - conhost.exe (PID: 736 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 5536 cmdline:
"C:\Window s\System32 \taskkill. exe" /f /i m "RightBa ckup.exe" MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - conhost.exe (PID: 6136 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 6784 cmdline:
"C:\Window s\System32 \taskkill. exe" /f /i m "RightBa ckup.exe" MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - conhost.exe (PID: 6156 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 2020 cmdline:
"C:\Window s\System32 \taskkill. exe" /f /i m "RBClien tService.e xe" MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - conhost.exe (PID: 2132 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 2920 cmdline:
"C:\Window s\System32 \taskkill. exe" /f /i m "RightBa ckup.exe" MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - conhost.exe (PID: 2180 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 3364 cmdline:
"C:\Window s\System32 \taskkill. exe" /f /i m "RBClien tService.e xe" MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - conhost.exe (PID: 6304 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 5696 cmdline:
"C:\Window s\System32 \taskkill. exe" /f /i m "RBNotif ier.exe" MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - conhost.exe (PID: 6152 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 5592 cmdline:
"C:\Window s\System32 \taskkill. exe" /f /i m "RightBa ckup.exe" MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - conhost.exe (PID: 3380 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 1880 cmdline:
"C:\Window s\System32 \taskkill. exe" /f /i m "RBClien tService.e xe" MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - conhost.exe (PID: 4980 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 5304 cmdline:
"C:\Window s\System32 \taskkill. exe" /f /i m "RightBa ckup.exe" MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - conhost.exe (PID: 1680 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 6152 cmdline:
"C:\Window s\System32 \taskkill. exe" /f /i m "RBClien tService.e xe" MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - conhost.exe (PID: 3652 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 6208 cmdline:
"C:\Window s\System32 \taskkill. exe" /f /i m "RightBa ckup.exe" MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - conhost.exe (PID: 2148 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 5028 cmdline:
"C:\Window s\System32 \taskkill. exe" /f /i m "RBClien tService.e xe" MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - conhost.exe (PID: 3624 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 6388 cmdline:
"C:\Window s\System32 \taskkill. exe" /f /i m "RBNotif ier.exe" MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - conhost.exe (PID: 3396 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 320 cmdline:
"C:\Window s\System32 \taskkill. exe" /f /i m "RightBa ckup.exe" MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - conhost.exe (PID: 3184 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 5592 cmdline:
"C:\Window s\System32 \taskkill. exe" /f /i m "RBClien tService.e xe" MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - conhost.exe (PID: 2180 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 1880 cmdline:
"C:\Window s\System32 \taskkill. exe" /f /i m "RBNotif ier.exe" MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - conhost.exe (PID: 3560 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 1276 cmdline:
"C:\Window s\System32 \schtasks. exe" /dele te /tn "No tifierRigh t Backup" /f MD5: 48C2FE20575769DE916F48EF0676A965) - conhost.exe (PID: 5660 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 6152 cmdline:
"C:\Window s\System32 \schtasks. exe" /dele te /tn "No tifierRigh t Backup_s tartup" /f MD5: 48C2FE20575769DE916F48EF0676A965) - conhost.exe (PID: 3652 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 6784 cmdline:
"C:\Window s\System32 \schtasks. exe" /dele te /tn "Ri ght Backup Notifier" /f MD5: 48C2FE20575769DE916F48EF0676A965) - conhost.exe (PID: 3276 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 6208 cmdline:
"C:\Window s\System32 \schtasks. exe" /dele te /tn "Ri ght Backup Notifier_s tartup" /f MD5: 48C2FE20575769DE916F48EF0676A965) - conhost.exe (PID: 3288 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 3624 cmdline:
"C:\Window s\System32 \schtasks. exe" /dele te /tn "Ri ght Backup Notifier_t rigger" /f MD5: 48C2FE20575769DE916F48EF0676A965) - conhost.exe (PID: 4856 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 2132 cmdline:
"C:\Window s\System32 \schtasks. exe" /dele te /tn "No tifierRigh t Backup_W D" /f MD5: 48C2FE20575769DE916F48EF0676A965) - conhost.exe (PID: 2820 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - RightBackup.exe (PID: 6520 cmdline:
"C:\Progra m Files (x 86)\Right Backup\Rig htBackup.e xe" loadva lues MD5: 0E1DC3C18FD7BE48BDC6664E40705E1C) - RightBackup.exe (PID: 4112 cmdline:
"C:\Progra m Files (x 86)\Right Backup\Rig htBackup.e xe" instal l MD5: 0E1DC3C18FD7BE48BDC6664E40705E1C) - RightBackup.exe (PID: 3496 cmdline:
"C:\Progra m Files (x 86)\Right Backup\Rig htBackup.e xe" firsti nstall -au toscanafte rinstall - fireurlsil ently MD5: 0E1DC3C18FD7BE48BDC6664E40705E1C) - RBNotifier.exe (PID: 2472 cmdline:
"C:\Progra m Files (x 86)\Right Backup\RBN otifier.ex e" creates chedule -f ireurlsile ntly MD5: 9224B0817D3684EAE9E20804F29D3DED) - RightBackup.exe (PID: 412 cmdline:
"C:\Progra m Files (x 86)\Right Backup\Rig htBackup.e xe" loadva lues MD5: 0E1DC3C18FD7BE48BDC6664E40705E1C)
- svchost.exe (PID: 1964 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s B ITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- RBClientService.exe (PID: 3396 cmdline:
"C:\Progra m Files (x 86)\Right Backup\RBC lientServi ce.exe" MD5: E3EDEEE8F3B5C66ED697C231F0DDB056)
- RightBackup.exe (PID: 4524 cmdline:
"C:\Progra m Files (x 86)\Right Backup\Rig htBackup.e xe" autola unch MD5: 0E1DC3C18FD7BE48BDC6664E40705E1C)
- RBNotifier.exe (PID: 6664 cmdline:
"C:\Progra m Files (x 86)\Right Backup\RBN otifier.ex e" neweven ttrigger MD5: 9224B0817D3684EAE9E20804F29D3DED)
- RBNotifier.exe (PID: 6184 cmdline:
"C:\Progra m Files (x 86)\Right Backup\RBN otifier.ex e" startup MD5: 9224B0817D3684EAE9E20804F29D3DED)
- cleanup
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
Click to see the 4 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
Click to see the 1 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
Click to see the 5 entries |
System Summary |
---|
Source: | Author: frack113: |
Source: | Author: vburov: |
Timestamp: | 04/19/24-01:33:00.171014 |
SID: | 2809549 |
Source Port: | 49706 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
Source: | Code function: | 51_2_06A9DE5C | |
Source: | Code function: | 51_2_06A9DD40 | |
Source: | Code function: | 51_2_06A9DABA | |
Source: | Code function: | 51_2_06A9DA00 | |
Source: | Code function: | 51_2_06A9DA72 | |
Source: | Code function: | 51_2_06A9DB30 | |
Source: | Code function: | 51_2_06A9D890 | |
Source: | Code function: | 51_2_06A9D86F |
Source: | Static PE information: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Static PE information: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |