Edit tour
Windows
Analysis Report
SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe
Overview
General Information
Detection
Exela Stealer, Python Stealer
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Add file from suspicious location to autostart registry
Sigma detected: Capture Wi-Fi password
Yara detected Exela Stealer
Yara detected Python Stealer
Detected generic credential text file
Found many strings related to Crypto-Wallets (likely being stolen)
Gathers network related connection and port information
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Modifies the windows firewall
Overwrites the password of the administrator account
Performs a network lookup / discovery via ARP
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive service information (via WMI, Win32_StartupCommand, often done to detect sandboxes)
Sigma detected: MSHTA Suspicious Execution 01
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses attrib.exe to hide files
Uses ipconfig to lookup or modify the Windows network settings
Uses netsh to modify the Windows network and firewall settings
Uses netstat to query active network connections and open ports
AV process strings found (often used to terminate AV products)
Binary contains a suspicious time stamp
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file does not import any functions
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Queries time zone information
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for the Microsoft Outlook file path
Sigma detected: Console CodePage Lookup Via CHCP
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI
Sigma detected: Suspicious Group And Account Reconnaissance Activity Using Net.EXE
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Classification
- System is w10x64
- SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe (PID: 6760 cmdline:
"C:\Users\ user\Deskt op\Securit eInfo.com. Win64.Evo- gen.8568.1 5352.exe" MD5: D53E9B9D10AFFCF90E613ABCCC702CA2) - SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe (PID: 6816 cmdline:
"C:\Users\ user\Deskt op\Securit eInfo.com. Win64.Evo- gen.8568.1 5352.exe" MD5: D53E9B9D10AFFCF90E613ABCCC702CA2) - cmd.exe (PID: 6932 cmdline:
C:\Windows \system32\ cmd.exe /c "ver" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 6960 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 7116 cmdline:
C:\Windows \system32\ cmd.exe /c "wmic pat h win32_Vi deoControl ler get na me" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7152 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - WMIC.exe (PID: 3732 cmdline:
wmic path win32_Vide oControlle r get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785) - cmd.exe (PID: 7140 cmdline:
C:\Windows \system32\ cmd.exe /c "wmic com putersyste m get Manu facturer" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7156 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - WMIC.exe (PID: 5428 cmdline:
wmic compu tersystem get Manufa cturer MD5: C37F2F4F4B3CD128BDABCAEB2266A785) - cmd.exe (PID: 7160 cmdline:
C:\Windows \system32\ cmd.exe /c "gdb --ve rsion" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 2476 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 3228 cmdline:
C:\Windows \system32\ cmd.exe /c "tasklist " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7028 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - tasklist.exe (PID: 6168 cmdline:
tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA) - cmd.exe (PID: 2004 cmdline:
C:\Windows \system32\ cmd.exe /c "wmic pat h Win32_Co mputerSyst em get Man ufacturer" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7064 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - WMIC.exe (PID: 3980 cmdline:
wmic path Win32_Comp uterSystem get Manuf acturer MD5: C37F2F4F4B3CD128BDABCAEB2266A785) - cmd.exe (PID: 6936 cmdline:
C:\Windows \system32\ cmd.exe /c "wmic csp roduct get uuid" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 6404 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - WMIC.exe (PID: 6600 cmdline:
wmic cspro duct get u uid MD5: C37F2F4F4B3CD128BDABCAEB2266A785) - Conhost.exe (PID: 5480 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 6984 cmdline:
C:\Windows \system32\ cmd.exe /c "tasklist " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7124 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - tasklist.exe (PID: 7080 cmdline:
tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA) - cmd.exe (PID: 7016 cmdline:
C:\Windows \system32\ cmd.exe /c "attrib + h +s "C:\U sers\user\ AppData\Lo cal\ExelaU pdateServi ce\Exela.e xe"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7148 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - attrib.exe (PID: 5812 cmdline:
attrib +h +s "C:\Use rs\user\Ap pData\Loca l\ExelaUpd ateService \Exela.exe " MD5: 5037D8E6670EF1D89FB6AD435F12A9FD) - cmd.exe (PID: 1076 cmdline:
C:\Windows \system32\ cmd.exe /c "reg add HKEY_LOCAL _MACHINE\S OFTWARE\Mi crosoft\Wi ndows\Curr entVersion \Run /v "E xela Updat e Service" /t REG_SZ /d "C:\Us ers\user\A ppData\Loc al\ExelaUp dateServic e\Exela.ex e" /f" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 2004 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - reg.exe (PID: 7120 cmdline:
reg add HK EY_LOCAL_M ACHINE\SOF TWARE\Micr osoft\Wind ows\Curren tVersion\R un /v "Exe la Update Service" / t REG_SZ / d "C:\User s\user\App Data\Local \ExelaUpda teService\ Exela.exe" /f MD5: 227F63E1D9008B36BDBCC4B397780BE4) - cmd.exe (PID: 7092 cmdline:
C:\Windows \system32\ cmd.exe /c "mshta "j avascript: var sh=new ActiveXOb ject('WScr ipt.Shell' ); sh.Popu p('The Pro gram can\x 22t start because ap i-ms-win-c rt-runtime -|l1-1-.dl l is missi ng from yo ur compute r. Try rei nstalling the progra m to fix t his proble m', 0, 'Sy stem Error ', 0+16);c lose()"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7116 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - mshta.exe (PID: 7072 cmdline:
mshta "jav ascript:va r sh=new A ctiveXObje ct('WScrip t.Shell'); sh.Popup( 'The Progr am can\x22 t start be cause api- ms-win-crt -runtime-| l1-1-.dll is missing from your computer. Try reins talling th e program to fix thi s problem' , 0, 'Syst em Error', 0+16);clo se()" MD5: 0B4340ED812DC82CE636C00FA5C9BEF2) - cmd.exe (PID: 4592 cmdline:
C:\Windows \system32\ cmd.exe /c "tasklist " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 6504 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - tasklist.exe (PID: 7104 cmdline:
tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA) - cmd.exe (PID: 7044 cmdline:
C:\Windows \system32\ cmd.exe /c "cmd.exe /c chcp" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7016 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 7112 cmdline:
C:\Windows \system32\ cmd.exe /c "cmd.exe /c chcp" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7148 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 2476 cmdline:
C:\Windows \system32\ cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 1076 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - tasklist.exe (PID: 7080 cmdline:
tasklist / FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA) - cmd.exe (PID: 7096 cmdline:
C:\Windows \system32\ cmd.exe /c "powershe ll.exe Get -Clipboard " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 6964 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 6988 cmdline:
powershell .exe Get-C lipboard MD5: 04029E121A0CFA5991749937DD22A1D9) - cmd.exe (PID: 7224 cmdline:
C:\Windows \system32\ cmd.exe /c "echo ### #System In fo#### & s ysteminfo & echo ### #System Ve rsion#### & ver & ec ho ####Hos t Name#### & hostnam e & echo # ###Environ ment Varia ble#### & set & echo ####Logic al Disk### # & wmic l ogicaldisk get capti on,descrip tion,provi dername & echo ####U ser Info## ## & net u ser & echo ####Onlin e User#### & query u ser & echo ####Local Group#### & net loc algroup & echo ####A dministrat ors Info## ## & net l ocalgroup administra tors & ech o ####Gues t User Inf o#### & ne t user gue st & echo ####Admini strator Us er Info### # & net us er adminis trator & e cho ####St artup Info #### & wmi c startup get captio n,command & echo ### #Tasklist# ### & task list /svc & echo ### #Ipconfig# ### & ipco nfig/all & echo #### Hosts#### & type C:\ WINDOWS\Sy stem32\dri vers\etc\h osts & ech o ####Rout e Table### # & route print & ec ho ####Arp Info#### & arp -a & echo #### Netstat### # & netsta t -ano & e cho ####Se rvice Info #### & sc query type = service state= all & echo ## ##Firewall info#### & netsh fir ewall show state & n etsh firew all show c onfig" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7240 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - systeminfo.exe (PID: 7312 cmdline:
systeminfo MD5: EE309A9C61511E907D87B10EF226FDCD) - WmiPrvSE.exe (PID: 7400 cmdline:
C:\Windows \system32\ wbem\wmipr vse.exe -s ecured -Em bedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51) - HOSTNAME.EXE (PID: 7516 cmdline:
hostname MD5: 33AFAA43B84BDEAB12E02F9DBD2B2EE0) - WMIC.exe (PID: 7536 cmdline:
wmic logic aldisk get caption,d escription ,providern ame MD5: C37F2F4F4B3CD128BDABCAEB2266A785) - net.exe (PID: 7652 cmdline:
net user MD5: 0BD94A338EEA5A4E1F2830AE326E6D19) - net1.exe (PID: 7668 cmdline:
C:\Windows \system32\ net1 user MD5: 55693DF2BB3CBE2899DFDDF18B4EB8C9) - query.exe (PID: 7684 cmdline:
query user MD5: 29043BC0B0F99EAFF36CAD35CBEE8D45) - quser.exe (PID: 7700 cmdline:
"C:\Window s\system32 \quser.exe " MD5: 480868AEBA9C04CA04D641D5ED29937B) - net.exe (PID: 7716 cmdline:
net localg roup MD5: 0BD94A338EEA5A4E1F2830AE326E6D19) - net1.exe (PID: 7732 cmdline:
C:\Windows \system32\ net1 local group MD5: 55693DF2BB3CBE2899DFDDF18B4EB8C9) - net.exe (PID: 7748 cmdline:
net localg roup admin istrators MD5: 0BD94A338EEA5A4E1F2830AE326E6D19) - net1.exe (PID: 7764 cmdline:
C:\Windows \system32\ net1 local group admi nistrators MD5: 55693DF2BB3CBE2899DFDDF18B4EB8C9) - net.exe (PID: 7780 cmdline:
net user g uest MD5: 0BD94A338EEA5A4E1F2830AE326E6D19) - net1.exe (PID: 7796 cmdline:
C:\Windows \system32\ net1 user guest MD5: 55693DF2BB3CBE2899DFDDF18B4EB8C9) - net.exe (PID: 7816 cmdline:
net user a dministrat or MD5: 0BD94A338EEA5A4E1F2830AE326E6D19) - net1.exe (PID: 7832 cmdline:
C:\Windows \system32\ net1 user administra tor MD5: 55693DF2BB3CBE2899DFDDF18B4EB8C9) - WMIC.exe (PID: 7848 cmdline:
wmic start up get cap tion,comma nd MD5: C37F2F4F4B3CD128BDABCAEB2266A785) - tasklist.exe (PID: 7880 cmdline:
tasklist / svc MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA) - ipconfig.exe (PID: 7908 cmdline:
ipconfig / all MD5: 62F170FB07FDBB79CEB7147101406EB8) - ROUTE.EXE (PID: 7932 cmdline:
route prin t MD5: 3C97E63423E527BA8381E81CBA00B8CD) - ARP.EXE (PID: 7948 cmdline:
arp -a MD5: 2AF1B2C042B83437A4BE82B19749FA98) - NETSTAT.EXE (PID: 7964 cmdline:
netstat -a no MD5: 7FDDD6681EA81CE26E64452336F479E6) - sc.exe (PID: 7980 cmdline:
sc query t ype= servi ce state= all MD5: 3FB5CF71F7E7EB49790CB0E663434D80) - netsh.exe (PID: 7996 cmdline:
netsh fire wall show state MD5: 6F1E6DD688818BC3D1391D0CC7D597EB) - netsh.exe (PID: 8024 cmdline:
netsh fire wall show config MD5: 6F1E6DD688818BC3D1391D0CC7D597EB) - cmd.exe (PID: 7232 cmdline:
C:\Windows \system32\ cmd.exe /c "netsh wl an show pr ofiles" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7252 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - netsh.exe (PID: 7320 cmdline:
netsh wlan show prof iles MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
- svchost.exe (PID: 7596 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s B ITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- Exela.exe (PID: 8068 cmdline:
"C:\Users\ user\AppDa ta\Local\E xelaUpdate Service\Ex ela.exe" MD5: D53E9B9D10AFFCF90E613ABCCC702CA2)
- cleanup
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_ExelaStealer | Yara detected Exela Stealer | Joe Security | ||
JoeSecurity_PythonStealer | Yara detected Python Stealer | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_PythonStealer | Yara detected Python Stealer | Joe Security | ||
JoeSecurity_ExelaStealer | Yara detected Exela Stealer | Joe Security | ||
Click to see the 16 entries |
System Summary |
---|
Source: | Author: Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule): |
Source: | Author: _pete_0, TheDFIRReport: |
Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): |
Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: |
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: Nasreddine Bencherchali (Nextron Systems): |
Source: | Author: Florian Roth (Nextron Systems), omkar72, @svch0st, Nasreddine Bencherchali (Nextron Systems): |
Source: | Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: |
Source: | Author: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements): |
Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): |
Source: | Author: frack113: |
Source: | Author: frack113: |
Source: | Author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io': |