Edit tour
Windows
Analysis Report
zlONcFaXkc.exe
Overview
General Information
Sample name: | zlONcFaXkc.exerenamed because original name is a hash value |
Original sample name: | 1c762a2cd186f1cde4b9e5d743eca3b5.exe |
Analysis ID: | 1430590 |
MD5: | 1c762a2cd186f1cde4b9e5d743eca3b5 |
SHA1: | a0eff9fa7b5ada96c8acf483de9519a9e2548d80 |
SHA256: | a5b0d190fc09cd5c1ea07fa6b12a7dd4ab5f517c778fb60e4e14060e00ddecc8 |
Tags: | 64exetrojan |
Infos: | |
Detection
PureLog Stealer, Xmrig, zgRAT
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Sigma detected: Xmrig
Snort IDS alert for network traffic
Yara detected PureLog Stealer
Yara detected Xmrig cryptocurrency miner
Yara detected zgRAT
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Connects to many ports of the same IP (likely port scanning)
Detected Stratum mining protocol
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected PersistenceViaHiddenTask
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to detect virtual machines (SLDT)
Contains long sleeps (>= 3 min)
Creates COM task schedule object (often to register a task for autostart)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Installs a Chrome extension
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file does not import any functions
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Chromium Browser Instance Executed With Custom Extension
Stores large binary data to the registry
Uses code obfuscation techniques (call, push, ret)
Yara signature match
Classification
- System is w10x64
- zlONcFaXkc.exe (PID: 7316 cmdline:
"C:\Users\ user\Deskt op\zlONcFa Xkc.exe" MD5: 1C762A2CD186F1CDE4B9E5D743ECA3B5)
- Target.exe (PID: 7384 cmdline:
C:\Users\u ser\AppDat a\Roaming\ IsFixedSiz e\Target.e xe MD5: 1C762A2CD186F1CDE4B9E5D743ECA3B5) - zcezeaqsuhi.exe (PID: 7508 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\zcezea qsuhi.exe" MD5: 8C4465565BB876235F68BCDDCCA4F3A7) - chrome.exe (PID: 7576 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --lo ad-extensi on="C:\Use rs\user\Ap pData\Loca l\Temp\Ext ension" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - chrome.exe (PID: 7680 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =2060 --fi eld-trial- handle=196 4,i,182685 8975372285 7029,66537 9080177264 2783,26214 4 /prefetc h:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - msedge.exe (PID: 7600 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --load- extension= "C:\Users\ user\AppDa ta\Local\T emp\Extens ion" MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 8116 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --type= utility -- utility-su b-type=net work.mojom .NetworkSe rvice --la ng=en-GB - -service-s andbox-typ e=none --m ojo-platfo rm-channel -handle=20 96 --field -trial-han dle=1988,i ,718469027 6915472336 ,948130876 3283154706 ,262144 /p refetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F) - WerFault.exe (PID: 7968 cmdline:
C:\Windows \system32\ WerFault.e xe -u -p 7 508 -s 151 6 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0) - AddInProcess.exe (PID: 7492 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\Ad dInProcess .exe -o 18 5.196.10.2 33:35662 - u ZEPHs72f KDmidnGGBp gHXJHNdpe4 9PRJa1tvHR ycwAPy9VLQ pybiQf527b iDskd3jSJy DZY5UbzexC 3Fnoxu4rBv gyx1b5vnkJ f.RIG_CPU -p x --alg o rx/0 --c pu-max-thr eads-hint= 50 MD5: 929EA1AF28AFEA2A3311FD4297425C94)
- svchost.exe (PID: 7832 cmdline:
C:\Windows \System32\ svchost.ex e -k WerSv cGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - WerFault.exe (PID: 7932 cmdline:
C:\Windows \system32\ WerFault.e xe -pss -s 468 -p 75 08 -ip 750 8 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
- svchost.exe (PID: 7856 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s B ITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- msedge.exe (PID: 8092 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --load- extension= "C:\Users\ user\AppDa ta\Local\T emp\Extens ion" --fla g-switches -begin --f lag-switch es-end --d isable-nac l --do-not -de-elevat e MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 6064 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --type= utility -- utility-su b-type=net work.mojom .NetworkSe rvice --la ng=en-GB - -service-s andbox-typ e=none --m ojo-platfo rm-channel -handle=19 24 --field -trial-han dle=2104,i ,706280244 4683946307 ,123720508 8492262390 9,262144 / prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 8860 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --type= utility -- utility-su b-type=ass et_store.m ojom.Asset StoreServi ce --lang= en-GB --se rvice-sand box-type=a sset_store _service - -mojo-plat form-chann el-handle= 6680 --fie ld-trial-h andle=2104 ,i,7062802 4446839463 07,1237205 0884922623 909,262144 /prefetch :8 MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 8896 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --type= utility -- utility-su b-type=ent ity_extrac tion_servi ce.mojom.E xtractor - -lang=en-G B --servic e-sandbox- type=entit y_extracti on --onnx- enabled-fo r-ee --moj o-platform -channel-h andle=6956 --field-t rial-handl e=2104,i,7 0628024446 83946307,1 2372050884 922623909, 262144 /pr efetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F) - identity_helper.exe (PID: 9616 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \117.0.204 5.47\ident ity_helper .exe" --ty pe=utility --utility -sub-type= winrt_app_ id.mojom.W inrtAppIdS ervice --l ang=en-GB --service- sandbox-ty pe=none -- mojo-platf orm-channe l-handle=7 300 --fiel d-trial-ha ndle=2104, i,70628024 4468394630 7,12372050 8849226239 09,262144 /prefetch: 8 MD5: 76C58E5BABFE4ACF0308AA646FC0F416) - identity_helper.exe (PID: 9648 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \117.0.204 5.47\ident ity_helper .exe" --ty pe=utility --utility -sub-type= winrt_app_ id.mojom.W inrtAppIdS ervice --l ang=en-GB --service- sandbox-ty pe=none -- mojo-platf orm-channe l-handle=7 300 --fiel d-trial-ha ndle=2104, i,70628024 4468394630 7,12372050 8849226239 09,262144 /prefetch: 8 MD5: 76C58E5BABFE4ACF0308AA646FC0F416) - msedge.exe (PID: 2692 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --type= utility -- utility-su b-type=edg e_search_i ndexer.moj om.SearchI ndexerInte rfaceBroke r --lang=e n-GB --ser vice-sandb ox-type=se arch_index er --messa ge-loop-ty pe-ui --mo jo-platfor m-channel- handle=662 8 --field- trial-hand le=2104,i, 7062802444 683946307, 1237205088 4922623909 ,262144 /p refetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 9952 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --type= utility -- utility-su b-type=ass et_store.m ojom.Asset StoreServi ce --lang= en-GB --se rvice-sand box-type=a sset_store _service - -mojo-plat form-chann el-handle= 3028 --fie ld-trial-h andle=2104 ,i,7062802 4446839463 07,1237205 0884922623 909,262144 /prefetch :8 MD5: 69222B8101B0601CC6663F8381E7E00F)
- svchost.exe (PID: 9480 cmdline:
C:\Windows \System32\ svchost.ex e -k Local Service -p -s Licens eManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- svchost.exe (PID: 9580 cmdline:
C:\Windows \system32\ svchost.ex e -k netsv cs -p -s l fsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- msedge.exe (PID: 6408 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --no-st artup-wind ow --win-s ession-sta rt /prefet ch:5 MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 732 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --type= utility -- utility-su b-type=net work.mojom .NetworkSe rvice --la ng=en-GB - -service-s andbox-typ e=none --m ojo-platfo rm-channel -handle=21 76 --field -trial-han dle=2120,i ,141715658 2723409073 2,98994168 5844687629 4,262144 / prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)
- msedge.exe (PID: 9748 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --no-st artup-wind ow --win-s ession-sta rt /prefet ch:5 MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 5164 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --type= utility -- utility-su b-type=net work.mojom .NetworkSe rvice --la ng=en-GB - -service-s andbox-typ e=none --m ojo-platfo rm-channel -handle=22 04 --field -trial-han dle=2028,i ,661755407 9144185053 ,329871253 0362425133 ,262144 /p refetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
xmrig | According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information. | No Attribution |
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
zgRAT | zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on. | No Attribution |
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
Windows_Trojan_Donutloader_f40e3759 | unknown | unknown |
| |
JoeSecurity_zgRAT_1 | Yara detected zgRAT | Joe Security | ||
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
MALWARE_Win_zgRAT | Detects zgRAT | ditekSHen |
| |
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
Click to see the 24 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
JoeSecurity_zgRAT_1 | Yara detected zgRAT | Joe Security | ||
Click to see the 36 entries |
Bitcoin Miner |
---|
Source: | Author: Joe Security: |
System Summary |
---|
Source: | Author: Aedan Russell, frack113, X__Junior (Nextron Systems): |
Source: | Author: vburov: |
Timestamp: | 04/23/24-23:02:05.994156 |
SID: | 2019714 |
Source Port: | 49732 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Potentially Bad Traffic |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira: |
Source: | Avira URL Cloud: |
Source: | Joe Sandbox ML: |
Bitcoin Miner |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | TCP traffic: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Networking |
---|
Source: | Snort IDS: |
Source: | TCP traffic: |
Source: | TCP traffic: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | IP Address: | ||
Source: | IP Address: | ||
Source: | IP Address: | ||
Source: | IP Address: |
Source: | JA3 fingerprint: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |