Edit tour
Windows
Analysis Report
957C4XK6Lt.exe
Overview
General Information
Sample name: | 957C4XK6Lt.exerenamed because original name is a hash value |
Original sample name: | f33c75710d0e0463a2528e619c2ee382.exe |
Analysis ID: | 1430850 |
MD5: | f33c75710d0e0463a2528e619c2ee382 |
SHA1: | 4d2dd071fe274e6a8696448c21eeeecc0cf07e6d |
SHA256: | ec7dd08d03d5d4142c82fc04cea7e948d05641b0a3008a0d8a00b0421b5b04f9 |
Tags: | 32exetrojan |
Infos: | |
Detection
Phorpiex
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Antivirus detection for dropped file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected Phorpiex
Changes security center settings (notifications, updates, antivirus, firewall)
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to check if Internet connection is working
Contains functionality to detect sleep reduction / modifications
Drops PE files to the user root directory
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after checking mutex)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Abnormal high CPU Usage
Connects to several IPs in different countries
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops PE files to the user directory
Drops PE files to the windows directory (C:\Windows)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found evasive API chain (may stop execution after accessing registry keys)
Found large amount of non-executed APIs
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
- 957C4XK6Lt.exe (PID: 3748 cmdline:
"C:\Users\ user\Deskt op\957C4XK 6Lt.exe" MD5: F33C75710D0E0463A2528E619C2EE382) - 135143440.exe (PID: 6684 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\1351434 40.exe MD5: 36010B83BCCFCD1032971DF9FC5082A1) - 1682018248.exe (PID: 6528 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\1682018 248.exe MD5: CD1D9C0ED8763E6BB3EE7EFB133DC60E)
- sysvratrel.exe (PID: 5676 cmdline:
"C:\Users\ user\sysvr atrel.exe" MD5: 36010B83BCCFCD1032971DF9FC5082A1)
- sysvratrel.exe (PID: 2012 cmdline:
"C:\Window s\sysvratr el.exe" MD5: 36010B83BCCFCD1032971DF9FC5082A1)
- sysvratrel.exe (PID: 6196 cmdline:
"C:\Users\ user\sysvr atrel.exe" MD5: 36010B83BCCFCD1032971DF9FC5082A1)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Phorpiex | Proofpoint describes Phorpiex/Trik as a SDBot fork (thus IRC-based) that has been used to distribute GandCrab, Pushdo, Pony, and coinminers. The name Trik is derived from PDB strings. | No Attribution |
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Phorpiex_4 | Yara detected Phorpiex | Joe Security | ||
JoeSecurity_Phorpiex_4 | Yara detected Phorpiex | Joe Security | ||
JoeSecurity_Phorpiex_4 | Yara detected Phorpiex | Joe Security | ||
JoeSecurity_Phorpiex_4 | Yara detected Phorpiex | Joe Security | ||
JoeSecurity_Phorpiex_4 | Yara detected Phorpiex | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Phorpiex_4 | Yara detected Phorpiex | Joe Security | ||
JoeSecurity_Phorpiex_4 | Yara detected Phorpiex | Joe Security | ||
JoeSecurity_Phorpiex_4 | Yara detected Phorpiex | Joe Security | ||
JoeSecurity_Phorpiex_4 | Yara detected Phorpiex | Joe Security | ||
JoeSecurity_Phorpiex_4 | Yara detected Phorpiex | Joe Security | ||
Click to see the 12 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Phorpiex_4 | Yara detected Phorpiex | Joe Security | ||
JoeSecurity_Phorpiex_4 | Yara detected Phorpiex | Joe Security | ||
JoeSecurity_Phorpiex_4 | Yara detected Phorpiex | Joe Security | ||
JoeSecurity_Phorpiex_4 | Yara detected Phorpiex | Joe Security | ||
JoeSecurity_Phorpiex_4 | Yara detected Phorpiex | Joe Security | ||
Click to see the 5 entries |
Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): |
Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): |
Timestamp: | 04/24/24-10:09:33.285933 |
SID: | 2044077 |
Source Port: | 59141 |
Destination Port: | 40500 |
Protocol: | UDP |
Classtype: | A Network Trojan was detected |
Timestamp: | 04/24/24-10:07:51.958250 |
SID: | 2044077 |
Source Port: | 59141 |
Destination Port: | 40500 |
Protocol: | UDP |
Classtype: | A Network Trojan was detected |
Timestamp: | 04/24/24-10:06:57.287872 |
SID: | 2856563 |
Source Port: | 59936 |
Destination Port: | 53 |
Protocol: | UDP |
Classtype: | A Network Trojan was detected |
Timestamp: | 04/24/24-10:10:13.394595 |
SID: | 2044077 |
Source Port: | 59141 |
Destination Port: | 40500 |
Protocol: | UDP |
Classtype: | A Network Trojan was detected |
Timestamp: | 04/24/24-10:08:32.035369 |
SID: | 2044077 |
Source Port: | 59141 |
Destination Port: | 40500 |
Protocol: | UDP |
Classtype: | A Network Trojan was detected |
Timestamp: | 04/24/24-10:07:11.867133 |
SID: | 2044077 |
Source Port: | 59141 |
Destination Port: | 40500 |
Protocol: | UDP |
Classtype: | A Network Trojan was detected |
Timestamp: | 04/24/24-10:09:58.363225 |
SID: | 2044077 |
Source Port: | 59141 |
Destination Port: | 40500 |
Protocol: | UDP |
Classtype: | A Network Trojan was detected |
Timestamp: | 04/24/24-10:09:23.285105 |
SID: | 2044077 |
Source Port: | 59141 |
Destination Port: | 40500 |
Protocol: | UDP |
Classtype: | A Network Trojan was detected |
Timestamp: | 04/24/24-10:09:48.347692 |
SID: | 2044077 |
Source Port: | 59141 |
Destination Port: | 40500 |
Protocol: | UDP |
Classtype: | A Network Trojan was detected |
Timestamp: | 04/24/24-10:07:31.911742 |
SID: | 2044077 |
Source Port: | 59141 |
Destination Port: | 40500 |
Protocol: | UDP |
Classtype: | A Network Trojan was detected |
Timestamp: | 04/24/24-10:08:11.988207 |
SID: | 2044077 |
Source Port: | 59141 |
Destination Port: | 40500 |
Protocol: | UDP |
Classtype: | A Network Trojan was detected |
Timestamp: | 04/24/24-10:09:53.363437 |
SID: | 2044077 |
Source Port: | 59141 |
Destination Port: | 40500 |
Protocol: | UDP |
Classtype: | A Network Trojan was detected |
Timestamp: | 04/24/24-10:07:46.957752 |
SID: | 2044077 |
Source Port: | 59141 |
Destination Port: | 40500 |
Protocol: | UDP |
Classtype: | A Network Trojan was detected |
Timestamp: | 04/24/24-10:09:18.287284 |
SID: | 2044077 |
Source Port: | 59141 |
Destination Port: | 40500 |
Protocol: | UDP |
Classtype: | A Network Trojan was detected |
Timestamp: | 04/24/24-10:07:56.957867 |
SID: | 2044077 |
Source Port: | 59141 |
Destination Port: | 40500 |
Protocol: | UDP |
Classtype: | A Network Trojan was detected |
Timestamp: | 04/24/24-10:07:26.909948 |
SID: | 2044077 |
Source Port: | 59141 |
Destination Port: | 40500 |
Protocol: | UDP |
Classtype: | A Network Trojan was detected |
Timestamp: | 04/24/24-10:08:48.239817 |
SID: | 2044077 |
Source Port: | 59141 |
Destination Port: | 40500 |
Protocol: | UDP |
Classtype: | A Network Trojan was detected |
Timestamp: | 04/24/24-10:08:01.978212 |
SID: | 2044077 |
Source Port: | 59141 |
Destination Port: | 40500 |
Protocol: | UDP |
Classtype: | A Network Trojan was detected |
Timestamp: | 04/24/24-10:07:21.863771 |
SID: | 2044077 |
Source Port: | 59141 |
Destination Port: | 40500 |
Protocol: | UDP |
Classtype: | A Network Trojan was detected |
Timestamp: | 04/24/24-10:10:48.476371 |
SID: | 2044077 |
Source Port: | 59141 |
Destination Port: | 40500 |
Protocol: | UDP |
Classtype: | A Network Trojan was detected |
Timestamp: | 04/24/24-10:10:53.507363 |
SID: | 2044077 |
Source Port: | 59141 |
Destination Port: | 40500 |
Protocol: | UDP |
Classtype: | A Network Trojan was detected |
Timestamp: | 04/24/24-10:10:43.459613 |
SID: | 2044077 |
Source Port: | 59141 |
Destination Port: | 40500 |
Protocol: | UDP |
Classtype: | A Network Trojan was detected |
Timestamp: | 04/24/24-10:10:18.414506 |
SID: | 2044077 |
Source Port: | 59141 |
Destination Port: | 40500 |
Protocol: | UDP |
Classtype: | A Network Trojan was detected |
Timestamp: | 04/24/24-10:08:58.253867 |
SID: | 2044077 |
Source Port: | 59141 |
Destination Port: | 40500 |
Protocol: | UDP |
Classtype: | A Network Trojan was detected |
Timestamp: | 04/24/24-10:10:23.425986 |
SID: | 2044077 |
Source Port: | 59141 |
Destination Port: | 40500 |
Protocol: | UDP |
Classtype: | A Network Trojan was detected |
Timestamp: | 04/24/24-10:07:16.864431 |
SID: | 2044077 |
Source Port: | 59141 |
Destination Port: | 40500 |
Protocol: | UDP |
Classtype: | A Network Trojan was detected |
Timestamp: | 04/24/24-10:10:03.378900 |
SID: | 2044077 |
Source Port: | 59141 |
Destination Port: | 40500 |
Protocol: | UDP |
Classtype: | A Network Trojan was detected |
Timestamp: | 04/24/24-10:08:43.222645 |
SID: | 2044077 |
Source Port: | 59141 |
Destination Port: | 40500 |
Protocol: | UDP |
Classtype: | A Network Trojan was detected |
Timestamp: | 04/24/24-10:08:53.254442 |
SID: | 2044077 |
Source Port: | 59141 |
Destination Port: | 40500 |
Protocol: | UDP |
Classtype: | A Network Trojan was detected |
Timestamp: | 04/24/24-10:10:33.442451 |
SID: | 2044077 |
Source Port: | 59141 |
Destination Port: | 40500 |
Protocol: | UDP |
Classtype: | A Network Trojan was detected |
Timestamp: | 04/24/24-10:08:22.004023 |
SID: | 2044077 |
Source Port: | 59141 |
Destination Port: | 40500 |
Protocol: | UDP |
Classtype: | A Network Trojan was detected |
Timestamp: | 04/24/24-10:09:28.285044 |
SID: | 2044077 |
Source Port: | 59141 |
Destination Port: | 40500 |
Protocol: | UDP |
Classtype: | A Network Trojan was detected |
Timestamp: | 04/24/24-10:09:43.348638 |
SID: | 2044077 |
Source Port: | 59141 |
Destination Port: | 40500 |
Protocol: | UDP |
Classtype: | A Network Trojan was detected |
Timestamp: | 04/24/24-10:10:58.504112 |
SID: | 2044077 |
Source Port: | 59141 |
Destination Port: | 40500 |
Protocol: | UDP |
Classtype: | A Network Trojan was detected |
Timestamp: | 04/24/24-10:10:28.442260 |
SID: | 2044077 |
Source Port: | 59141 |
Destination Port: | 40500 |
Protocol: | UDP |
Classtype: | A Network Trojan was detected |
Timestamp: | 04/24/24-10:09:13.269540 |
SID: | 2044077 |
Source Port: | 59141 |
Destination Port: | 40500 |
Protocol: | UDP |
Classtype: | A Network Trojan was detected |
Timestamp: | 04/24/24-10:07:41.942141 |
SID: | 2044077 |
Source Port: | 59141 |
Destination Port: | 40500 |
Protocol: | UDP |
Classtype: | A Network Trojan was detected |
Timestamp: | 04/24/24-10:08:27.019326 |
SID: | 2044077 |
Source Port: | 59141 |
Destination Port: | 40500 |
Protocol: | UDP |
Classtype: | A Network Trojan was detected |
Timestamp: | 04/24/24-10:08:16.989023 |
SID: | 2044077 |
Source Port: | 59141 |
Destination Port: | 40500 |
Protocol: | UDP |
Classtype: | A Network Trojan was detected |
Timestamp: | 04/24/24-10:09:03.253978 |
SID: | 2044077 |
Source Port: | 59141 |
Destination Port: | 40500 |
Protocol: | UDP |
Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: |
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: |
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link |
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: |
Source: | Joe Sandbox ML: |
Source: | Code function: | 3_2_0040C0C0 | |
Source: | Code function: | 5_2_0040C0C0 | |
Source: | Code function: | 8_2_0040C0C0 |
Phishing |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Static PE information: |
Source: | File opened: | Jump to behavior |
Source: | Static PE information: |
Source: | Code function: | 3_2_00406650 | |
Source: | Code function: | 3_2_00406510 | |
Source: | Code function: | 5_2_00406650 | |
Source: | Code function: | 5_2_00406510 | |
Source: | Code function: | 8_2_00406650 | |
Source: | Code function: | 8_2_00406510 |
Networking |
---|
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: |
Source: | Code function: | 3_2_0040ACC0 | |
Source: | Code function: | 5_2_0040ACC0 | |
Source: | Code function: | 8_2_0040ACC0 |
Source: | Network traffic detected: |
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | UDP traffic: | ||
Source: | UDP traffic: | ||
Source: | UDP traffic: | ||
Source: | UDP traffic: | ||
Source: | UDP traffic: | ||
Source: | UDP traffic: | ||
Source: | UDP traffic: | ||
Source: | UDP traffic: | ||
Source: | UDP traffic: | ||
Source: | UDP traffic: | ||
Source: | UDP traffic: | ||
Source: | UDP traffic: | ||
Source: | UDP traffic: | ||
Source: | UDP traffic: | ||
Source: | UDP traffic: | ||
Source: | UDP traffic: | ||
Source: | UDP traffic: | ||
Source: | UDP traffic: | ||
Source: | UDP traffic: | ||
Source: | UDP traffic: | ||
Source: | UDP traffic: | ||
Source: | UDP traffic: | ||
Source: | UDP traffic: | ||
Source: | UDP traffic: | ||
Source: | UDP traffic: | ||
Source: | UDP traffic: | ||
Source: | UDP traffic: | ||
Source: | UDP traffic: | ||
Source: | UDP traffic: | ||
Source: | UDP traffic: | ||
Source: | UDP traffic: | ||
Source: | UDP traffic: | ||
Source: | UDP traffic: | ||
Source: | UDP traffic: | ||
Source: | UDP traffic: | ||
Source: | UDP traffic: | ||
Source: | UDP traffic: | ||
Source: | UDP traffic: | ||
Source: | UDP traffic: | ||
Source: | UDP traffic: | ||
Source: | UDP traffic: | ||
Source: | UDP traffic: | ||
Source: | UDP traffic: | ||
Source: | UDP traffic: | ||
Source: | UDP traffic: |
Source: | HTTP traffic detected: |