Edit tour
Windows
Analysis Report
jNeaezBuo8.exe
Overview
General Information
Sample name: | jNeaezBuo8.exerenamed because original name is a hash value |
Original sample name: | dfe244414c8461175241ce54707eb6b6.exe |
Analysis ID: | 1429049 |
MD5: | dfe244414c8461175241ce54707eb6b6 |
SHA1: | 1c94e583b7058d01dad42d56ef5ddf17b64b5778 |
SHA256: | 6b7baa1db0d2ed5c12dfb8f289449384ff821110f9b490379c5fcd9190090f4e |
Tags: | 64exetrojan |
Infos: | |
Detection
Glupteba, Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Yara detected AntiVM3
Yara detected Glupteba
Yara detected Mars stealer
Yara detected PureLog Stealer
Yara detected Stealc
Yara detected UAC Bypass using CMSTP
Yara detected Vidar stealer
Yara detected zgRAT
Adds a directory exclusion to Windows Defender
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
Creates HTML files with .exe extension (expired dropper behavior)
Disable Windows Defender real time protection (registry)
Disables UAC (registry)
Disables Windows Defender (deletes autostart)
Drops PE files to the document folder of the user
Drops script or batch files to the startup folder
Exclude list of file types from scheduled, custom, and real-time scanning
Found Tor onion address
Found direct / indirect Syscall (likely to bypass EDR)
Found evasive API chain (may stop execution after checking locale)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Installs new ROOT certificates
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Modifies Group Policy settings
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Searches for specific processes (likely to inject)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes many files with high entropy
Writes to foreign memory regions
Yara detected Generic Downloader
Adds / modifies Windows certificates
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Creates or modifies windows services
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops certificate files (DER)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file does not import any functions
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Windows Defender Exclusions Added - Registry
Stores files to the Windows start menu directory
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64
- jNeaezBuo8.exe (PID: 3636 cmdline:
"C:\Users\ user\Deskt op\jNeaezB uo8.exe" MD5: DFE244414C8461175241CE54707EB6B6) - powershell.exe (PID: 652 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" Add-MpPref erence -Ex clusionPat h "C:\User s\user\Des ktop\jNeae zBuo8.exe" -Force MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 5860 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - WmiPrvSE.exe (PID: 5060 cmdline:
C:\Windows \system32\ wbem\wmipr vse.exe -s ecured -Em bedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51) - jsc.exe (PID: 7152 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\jsc .exe" MD5: 94C8E57A80DFCA2482DEDB87B93D4FD9) - KB7dlYN3AfN1oeAtjoqEId5Q.exe (PID: 6020 cmdline:
"C:\Users\ user\Pictu res\KB7dlY N3AfN1oeAt joqEId5Q.e xe" MD5: B9EBDC793CC3FBE86AA0A538FFC33478) - u4n8.0.exe (PID: 7332 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\u4n8.0 .exe" MD5: 31CB8FF276A0A394C3572A942FB623C3) - oV9qcl4WOt6pr8Qw3ls1WbNr.exe (PID: 3580 cmdline:
"C:\Users\ user\Pictu res\oV9qcl 4WOt6pr8Qw 3ls1WbNr.e xe" MD5: 3B4F81A6C1CF0D18A0228D9B5797C1D1) - powershell.exe (PID: 8084 cmdline:
powershell -nologo - noprofile MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 7484 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - OOMSHFu8BfhOzlMYdVgLGKxh.exe (PID: 2828 cmdline:
"C:\Users\ user\Pictu res\OOMSHF u8BfhOzlMY dVgLGKxh.e xe" MD5: 3B4F81A6C1CF0D18A0228D9B5797C1D1) - powershell.exe (PID: 7488 cmdline:
powershell -nologo - noprofile MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 7692 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - DAzvKQG6Ksqk3AfqsZxaFtPP.exe (PID: 6680 cmdline:
"C:\Users\ user\Pictu res\DAzvKQ G6Ksqk3Afq sZxaFtPP.e xe" MD5: FFEE05EA98B1D51026A44FAD0841A8A9) - 09JXLFzEJOC5kWQEY7XIw75i.exe (PID: 5480 cmdline:
"C:\Users\ user\Pictu res\09JXLF zEJOC5kWQE Y7XIw75i.e xe" --sile nt --allus ers=0 MD5: 532636E5A6A62CB1329E96253F2A6949) - 09JXLFzEJOC5kWQEY7XIw75i.exe (PID: 2668 cmdline:
C:\Users\u ser\Pictur es\09JXLFz EJOC5kWQEY 7XIw75i.ex e --type=c rashpad-ha ndler /pre fetch:4 -- monitor-se lf-annotat ion=ptype= crashpad-h andler "-- database=C :\Users\us er\AppData \Roaming\O pera Softw are\Opera Stable\Cra sh Reports " "--crash -count-fil e=C:\Users \user\AppD ata\Roamin g\Opera So ftware\Ope ra Stable\ crash_coun t.txt" --u rl=https:/ /crashstat s-collecto r.opera.co m/collecto r/submit - -annotatio n=channel= Stable --a nnotation= plat=Win32 --annotat ion=prod=O peraDeskto p --annota tion=ver=1 09.0.5097. 45 --initi al-client- data=0x29c ,0x2a0,0x2 a4,0x278,0 x258,0x6c5 be1d0,0x6c 5be1dc,0x6 c5be1e8 MD5: 532636E5A6A62CB1329E96253F2A6949) - 09JXLFzEJOC5kWQEY7XIw75i.exe (PID: 7204 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\.opera \Opera Ins taller Tem p\09JXLFzE JOC5kWQEY7 XIw75i.exe " --versio n MD5: 532636E5A6A62CB1329E96253F2A6949) - 09JXLFzEJOC5kWQEY7XIw75i.exe (PID: 7540 cmdline:
"C:\Users\ user\Pictu res\09JXLF zEJOC5kWQE Y7XIw75i.e xe" --back end --inst all --impo rt-browser -data=0 -- enable-sta ts=1 --ena ble-instal ler-stats= 1 --consen t-given=0 --general- interests= 0 --genera l-location =0 --perso nalized-co ntent=0 -- personaliz ed-ads=0 - -launchope ra=1 --ins tallfolder ="C:\Users \user\AppD ata\Local\ Programs\O pera" --pr ofile-fold er --langu age=en-GB --singlepr ofile=0 -- copyonly=0 --alluser s=0 --setd efaultbrow ser=1 --pi ntotaskbar =1 --pinto startmenu= 1 --run-at -startup=1 --show-in tro-overla y --server -tracking- data=serve r_tracking _data --in itial-pid= 5480 --pac kage-dir-p refix="C:\ Users\user \AppData\L ocal\Temp\ .opera\Ope ra Install er Temp\op era_packag e_20240420 115402" -- session-gu id=7c8aa1a a-7a32-47d f-9a77-320 b42f4c511 --server-t racking-bl ob="YjU1Mj Y3ZTRkZDgx ZTBkNTJhNm UwZWY1OWIy ZGNlZTljZj U0OTA1ZTA2 Yzc0MGEwZG RjN2NiM2U1 NjA4MjkxMz p7ImNvdW50 cnkiOiJVUy IsImluc3Rh bGxlcl9uYW 1lIjoiT3Bl cmFTZXR1cC 5leGUiLCJw cm9kdWN0Ij p7Im5hbWUi OiJvcGVyYS J9LCJxdWVy eSI6Ii9vcG VyYS9zdGFi bGUvd2luZG 93cy8/dXRt X21lZGl1bT 1hcGImdXRt X3NvdXJjZT 1ta3QmdXRt X2NhbXBhaW duPTc2N19f MTIzIiwic3 lzdGVtIjp7 InBsYXRmb3 JtIjp7ImFy Y2giOiJ4OD ZfNjQiLCJv cHN5cyI6Il dpbmRvd3Mi LCJvcHN5cy 12ZXJzaW9u IjoiMTAiLC JwYWNrYWdl IjoiRVhFIn 19LCJ0aW1l c3RhbXAiOi IxNzEzNjA2 ODM4LjA0NT IiLCJ1dG0i OnsiY2FtcG FpZ24iOiI3 NjdfXzEyMy IsIm1lZGl1 bSI6ImFwYi IsInNvdXJj ZSI6Im1rdC J9LCJ1dWlk IjoiMzUyYW JiN2YtMWFl NC00NDNlLT gxNWEtYzU1 NDc1YTYyOG E3In0= " --silent - -desktopsh ortcut=1 - -wait-for- package -- initial-pr oc-handle= 9C05000000 000000 MD5: 532636E5A6A62CB1329E96253F2A6949) - 09JXLFzEJOC5kWQEY7XIw75i.exe (PID: 7596 cmdline:
C:\Users\u ser\Pictur es\09JXLFz EJOC5kWQEY 7XIw75i.ex e --type=c rashpad-ha ndler /pre fetch:4 -- monitor-se lf-annotat ion=ptype= crashpad-h andler "-- database=C :\Users\us er\AppData \Roaming\O pera Softw are\Opera Stable\Cra sh Reports " "--crash -count-fil e=C:\Users \user\AppD ata\Roamin g\Opera So ftware\Ope ra Stable\ crash_coun t.txt" --u rl=https:/ /crashstat s-collecto r.opera.co m/collecto r/submit - -annotatio n=channel= Stable --a nnotation= plat=Win32 --annotat ion=prod=O peraDeskto p --annota tion=ver=1 09.0.5097. 45 --initi al-client- data=0x298 ,0x2a8,0x2 ac,0x274,0 x2b0,0x6b9 4e1d0,0x6b 94e1dc,0x6 b94e1e8 MD5: 532636E5A6A62CB1329E96253F2A6949) - qVgCKtvfJNb4NfGV6kK2PcSn.exe (PID: 7608 cmdline:
"C:\Users\ user\Pictu res\qVgCKt vfJNb4NfGV 6kK2PcSn.e xe" MD5: B9EBDC793CC3FBE86AA0A538FFC33478) - u5vc.0.exe (PID: 7108 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\u5vc.0 .exe" MD5: 31CB8FF276A0A394C3572A942FB623C3) - Qg_Appv5.exe (PID: 4500 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\Qg_App v5.exe" MD5: 6955715B6FF15BDC153A2431CC395CCA) - 7h3MwjMZ6vEaBgd6kdodu3Pw.exe (PID: 7724 cmdline:
"C:\Users\ user\Pictu res\7h3Mwj MZ6vEaBgd6 kdodu3Pw.e xe" MD5: 3B4F81A6C1CF0D18A0228D9B5797C1D1) - TXqT6X30DuHmvWeCAIdAJgkl.exe (PID: 7732 cmdline:
"C:\Users\ user\Pictu res\TXqT6X 30DuHmvWeC AIdAJgkl.e xe" MD5: 3B4F81A6C1CF0D18A0228D9B5797C1D1) - powershell.exe (PID: 6436 cmdline:
powershell -nologo - noprofile MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 7316 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - ZK4CNPe2v25Jrp4qNSGWaEQ7.exe (PID: 7752 cmdline:
"C:\Users\ user\Pictu res\ZK4CNP e2v25Jrp4q NSGWaEQ7.e xe" --sile nt --allus ers=0 MD5: AE7373A75B55B4B5ABF63C4FE48F9600) - ZK4CNPe2v25Jrp4qNSGWaEQ7.exe (PID: 7816 cmdline:
C:\Users\u ser\Pictur es\ZK4CNPe 2v25Jrp4qN SGWaEQ7.ex e --type=c rashpad-ha ndler /pre fetch:4 -- monitor-se lf-annotat ion=ptype= crashpad-h andler "-- database=C :\Users\us er\AppData \Roaming\O pera Softw are\Opera Stable\Cra sh Reports " "--crash -count-fil e=C:\Users \user\AppD ata\Roamin g\Opera So ftware\Ope ra Stable\ crash_coun t.txt" --u rl=https:/ /crashstat s-collecto r.opera.co m/collecto r/submit - -annotatio n=channel= Stable --a nnotation= plat=Win32 --annotat ion=prod=O peraDeskto p --annota tion=ver=1 09.0.5097. 45 --initi al-client- data=0x2b0 ,0x2b4,0x2 b8,0x2ac,0 x2bc,0x6af ce1d0,0x6a fce1dc,0x6 afce1e8 MD5: AE7373A75B55B4B5ABF63C4FE48F9600) - ZK4CNPe2v25Jrp4qNSGWaEQ7.exe (PID: 7980 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\.opera \Opera Ins taller Tem p\ZK4CNPe2 v25Jrp4qNS GWaEQ7.exe " --versio n MD5: AE7373A75B55B4B5ABF63C4FE48F9600) - cCuDz5Qaw0neUcm6E5xOvfYH.exe (PID: 7784 cmdline:
"C:\Users\ user\Pictu res\cCuDz5 Qaw0neUcm6 E5xOvfYH.e xe" MD5: FFEE05EA98B1D51026A44FAD0841A8A9) - ayhJ6kQ8IqoRz2vLrcRuSLzw.exe (PID: 8132 cmdline:
"C:\Users\ user\Pictu res\ayhJ6k Q8IqoRz2vL rcRuSLzw.e xe" MD5: AAA56797070369AD346FBD9BB6CC5E8B) - bOYJAXg8qqrEFblwExl79wvd.exe (PID: 4256 cmdline:
"C:\Users\ user\Pictu res\bOYJAX g8qqrEFblw Exl79wvd.e xe" MD5: B9EBDC793CC3FBE86AA0A538FFC33478) - u3a8.0.exe (PID: 2584 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\u3a8.0 .exe" MD5: 31CB8FF276A0A394C3572A942FB623C3) - KtJVXw17tLyQAhIxYU41jVqs.exe (PID: 6100 cmdline:
"C:\Users\ user\Pictu res\KtJVXw 17tLyQAhIx YU41jVqs.e xe" MD5: 3B4F81A6C1CF0D18A0228D9B5797C1D1) - Y19ex8vzCbShkGSA8eqfhDzt.exe (PID: 8176 cmdline:
"C:\Users\ user\Pictu res\Y19ex8 vzCbShkGSA 8eqfhDzt.e xe" MD5: 3B4F81A6C1CF0D18A0228D9B5797C1D1) - eYOrtx4XT9Xlr5FknYeLBgkD.exe (PID: 7356 cmdline:
"C:\Users\ user\Pictu res\eYOrtx 4XT9Xlr5Fk nYeLBgkD.e xe" --sile nt --allus ers=0 MD5: C0F4592F8DD0BCA0145D851B8FB677DE) - tBkWHcKqBZ65lLNmFWjY4rC6.exe (PID: 8032 cmdline:
"C:\Users\ user\Pictu res\tBkWHc KqBZ65lLNm FWjY4rC6.e xe" MD5: FFEE05EA98B1D51026A44FAD0841A8A9) - jsc.exe (PID: 1096 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\jsc .exe" MD5: 94C8E57A80DFCA2482DEDB87B93D4FD9) - WerFault.exe (PID: 1864 cmdline:
C:\Windows \system32\ WerFault.e xe -u -p 3 636 -s 136 0 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
- svchost.exe (PID: 6084 cmdline:
C:\Windows \System32\ svchost.ex e -k WerSv cGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - WerFault.exe (PID: 3380 cmdline:
C:\Windows \system32\ WerFault.e xe -pss -s 436 -p 36 36 -ip 363 6 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
- svchost.exe (PID: 6192 cmdline:
C:\Windows \system32\ svchost.ex e -k netsv cs -p -s w lidsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- svchost.exe (PID: 7420 cmdline:
C:\Windows \system32\ svchost.ex e -k Local SystemNetw orkRestric ted -p -s fhsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- svchost.exe (PID: 7436 cmdline:
C:\Windows \System32\ svchost.ex e -k NetSv cs -p -s N caSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- svchost.exe (PID: 7444 cmdline:
C:\Windows \system32\ svchost.ex e -k Local SystemNetw orkRestric ted -s WPD BusEnum MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- cmd.exe (PID: 5988 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\User s\user\App Data\Roami ng\Microso ft\Windows \Start Men u\Programs \Startup\c 6sF6ZIbUf4 h0chyjX8Go Xwd.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 5720 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - ZUXB5CkDapzE7efrdUFhJ892.exe (PID: 1576 cmdline:
"C:\Users\ user\AppDa ta\Local\Z UXB5CkDapz E7efrdUFhJ 892.exe" MD5: FFEE05EA98B1D51026A44FAD0841A8A9)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Glupteba | Glupteba is a trojan horse malware that is one of the top ten malware variants of 2021. After infecting a system, the Glupteba malware can be used to deliver additional malware, steal user authentication information, and enroll the infected system in a cryptomining botnet. | No Attribution |
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Stealc | Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. | No Attribution |
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Vidar | Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. | No Attribution |
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
zgRAT | zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on. | No Attribution |
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_DelphiSystemParamCount | Detected Delphi use of System.ParamCount() | Joe Security | ||
JoeSecurity_DelphiSystemParamCount | Detected Delphi use of System.ParamCount() | Joe Security | ||
JoeSecurity_zgRAT_1 | Yara detected zgRAT | Joe Security | ||
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
MALWARE_Win_zgRAT | Detects zgRAT | ditekSHen |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_DelphiSystemParamCount | Detected Delphi use of System.ParamCount() | Joe Security | ||
Windows_Trojan_RedLineStealer_ed346e4c | unknown | unknown |
| |
Windows_Trojan_Smokeloader_3687686f | unknown | unknown |
| |
JoeSecurity_Vidar_1 | Yara detected Vidar stealer | Joe Security | ||
JoeSecurity_MarsStealer | Yara detected Mars stealer | Joe Security | ||
Click to see the 40 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Vidar_1 | Yara detected Vidar stealer | Joe Security | ||
JoeSecurity_MarsStealer | Yara detected Mars stealer | Joe Security | ||
JoeSecurity_Vidar_1 | Yara detected Vidar stealer | Joe Security | ||
JoeSecurity_MarsStealer | Yara detected Mars stealer | Joe Security | ||
JoeSecurity_Vidar_1 | Yara detected Vidar stealer | Joe Security | ||
Click to see the 29 entries |
System Summary |
---|
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: Christian Burkard (Nextron Systems): |
Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): |
Source: | Author: vburov: |
Data Obfuscation |
---|
Source: | Author: Joe Security: |
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Joe Sandbox ML: |
Source: | Code function: | 18_2_00409540 | |
Source: | Code function: | 18_2_004155A0 | |
Source: | Code function: | 18_2_00406C10 | |
Source: | Code function: | 18_2_004094A0 | |
Source: | Code function: | 18_2_0040BF90 | |
Source: | Code function: | 18_2_03659707 | |
Source: | Code function: | 18_2_036597A7 | |
Source: | Code function: | 18_2_03656E77 | |
Source: | Code function: | 18_2_0365C1F7 | |
Source: | Code function: | 18_2_03665807 |
Exploits |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Bitcoin Miner |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Compliance |
---|
Source: | Unpacked PE file: | ||
Source: | Unpacked PE file: | ||
Source: | Unpacked PE file: | ||
Source: | Unpacked PE file: | ||
Source: | Unpacked PE file: | ||
Source: | Unpacked PE file: |
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: |
Source: | File created: |
Source: | File opened: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Change of critical system settings |
---|
Source: | Registry key created or modified: | ||
Source: | Registry key created or modified: |
Source: | Code function: | 10_2_0041D9E1 | |
Source: | Code function: | 10_2_036FDC48 | |
Source: | Code function: | 18_2_00412570 | |
Source: | Code function: | 18_2_0040D1C0 | |
Source: | Code function: | 18_2_004015C0 | |
Source: | Code function: | 18_2_00411650 | |
Source: | Code function: | 18_2_0040B610 | |
Source: | Code function: | 18_2_0040DB60 | |
Source: | Code function: | 18_2_00411B80 | |
Source: | Code function: | 18_2_0040D540 | |
Source: | Code function: | 18_2_004121F0 | |
Source: | Code function: | 18_2_036627D7 | |
Source: | Code function: | 18_2_0365D7A7 | |
Source: | Code function: | 18_2_03661DE7 | |
Source: | Code function: | 18_2_0365DDC7 | |
Source: | Code function: | 18_2_0365B877 | |
Source: | Code function: | 18_2_03662457 | |
Source: | Code function: | 18_2_0365D427 | |
Source: | Code function: | 18_2_03651827 | |
Source: | Code function: | 18_2_036618B7 | |
Source: | Code function: | 24_2_0041D9E1 | |
Source: | Code function: | 24_2_035BDC48 |
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: |
Networking |
---|
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: |
Source: | String found in binary or memory: |