Edit tour
Windows
Analysis Report
file.exe
Overview
General Information
Detection
Score: | 64 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Machine Learning detection for sample
Maps a DLL or memory area into another process
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
IP address seen in connection with other malware
Installs a Chrome extension
JA3 SSL client fingerprint seen in connection with other malware
One or more processes crash
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Chromium Browser Instance Executed With Custom Extension
Yara signature match
Classification
- System is w10x64
- file.exe (PID: 5728 cmdline:
"C:\Users\ user\Deskt op\file.ex e" MD5: 22E35BEA6A2653C8393DB13A83B0CF97) - chrome.exe (PID: 4372 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --lo ad-extensi on="C:\Use rs\user\Ap pData\Loca l\Temp\Ext ension" MD5: 5BBFA6CBDF4C254EB368D534F9E23C92) - chrome.exe (PID: 6556 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =1700 --fi eld-trial- handle=202 8,i,139766 1169919447 6982,14356 8669755957 87732,2621 44 /prefet ch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92) - msedge.exe (PID: 2096 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --load- extension= "C:\Users\ user\AppDa ta\Local\T emp\Extens ion" MD5: BF154738460E4AB1D388970E1AB13FAB) - msedge.exe (PID: 7484 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --type= utility -- utility-su b-type=net work.mojom .NetworkSe rvice --la ng=en-GB - -service-s andbox-typ e=none --m ojo-platfo rm-channel -handle=22 08 --field -trial-han dle=2160,i ,923282636 7822327522 ,172426027 8021044032 8,262144 / prefetch:3 MD5: BF154738460E4AB1D388970E1AB13FAB) - WerFault.exe (PID: 1492 cmdline:
C:\Windows \system32\ WerFault.e xe -u -p 5 728 -s 165 6 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
- msedge.exe (PID: 7624 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --load- extension= "C:\Users\ user\AppDa ta\Local\T emp\Extens ion" --fla g-switches -begin --f lag-switch es-end --d isable-nac l --do-not -de-elevat e MD5: BF154738460E4AB1D388970E1AB13FAB) - msedge.exe (PID: 7944 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --type= utility -- utility-su b-type=net work.mojom .NetworkSe rvice --la ng=en-GB - -service-s andbox-typ e=none --m ojo-platfo rm-channel -handle=20 84 --field -trial-han dle=1980,i ,183837527 8352171482 4,43278344 3260239212 8,262144 / prefetch:3 MD5: BF154738460E4AB1D388970E1AB13FAB) - identity_helper.exe (PID: 9196 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \117.0.204 5.55\ident ity_helper .exe" --ty pe=utility --utility -sub-type= winrt_app_ id.mojom.W inrtAppIdS ervice --l ang=en-GB --service- sandbox-ty pe=none -- mojo-platf orm-channe l-handle=6 300 --fiel d-trial-ha ndle=1980, i,18383752 7835217148 24,4327834 4326023921 28,262144 /prefetch: 8 MD5: F8CEC3E43A6305AC9BA3700131594306) - identity_helper.exe (PID: 9208 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \117.0.204 5.55\ident ity_helper .exe" --ty pe=utility --utility -sub-type= winrt_app_ id.mojom.W inrtAppIdS ervice --l ang=en-GB --service- sandbox-ty pe=none -- mojo-platf orm-channe l-handle=6 300 --fiel d-trial-ha ndle=1980, i,18383752 7835217148 24,4327834 4326023921 28,262144 /prefetch: 8 MD5: F8CEC3E43A6305AC9BA3700131594306) - msedge.exe (PID: 8948 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --type= utility -- utility-su b-type=ass et_store.m ojom.Asset StoreServi ce --lang= en-GB --se rvice-sand box-type=a sset_store _service - -mojo-plat form-chann el-handle= 7620 --fie ld-trial-h andle=1980 ,i,1838375 2783521714 824,432783 4432602392 128,262144 /prefetch :8 MD5: BF154738460E4AB1D388970E1AB13FAB) - msedge.exe (PID: 8936 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --type= utility -- utility-su b-type=ent ity_extrac tion_servi ce.mojom.E xtractor - -lang=en-G B --servic e-sandbox- type=entit y_extracti on --onnx- enabled-fo r-ee --moj o-platform -channel-h andle=7776 --field-t rial-handl e=1980,i,1 8383752783 521714824, 4327834432 602392128, 262144 /pr efetch:8 MD5: BF154738460E4AB1D388970E1AB13FAB) - msedge.exe (PID: 3608 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --type= utility -- utility-su b-type=edg e_search_i ndexer.moj om.SearchI ndexerInte rfaceBroke r --lang=e n-GB --ser vice-sandb ox-type=se arch_index er --messa ge-loop-ty pe-ui --mo jo-platfor m-channel- handle=773 2 --field- trial-hand le=1980,i, 1838375278 3521714824 ,432783443 2602392128 ,262144 /p refetch:8 MD5: BF154738460E4AB1D388970E1AB13FAB)
- cleanup
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
Windows_Trojan_Donutloader_f40e3759 | unknown | unknown |
|
System Summary |
---|
Source: | Author: Aedan Russell, frack113, X__Junior (Nextron Systems): |
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Joe Sandbox ML: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | IP Address: | ||
Source: | IP Address: | ||
Source: | IP Address: | ||
Source: | IP Address: |
Source: | JA3 fingerprint: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |