Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report


General Information

Sample name:wssvZm9dNK.exe
renamed because original name is a hash value
Original sample name:2c5697f085b66bec06e28ed6d24ec606.exe
Analysis ID:1461765


Range:0 - 100


Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Yara detected AntiVM3
Yara detected PXRECVOWEIWOEI Stealer
.NET source code contains potential unpacker
AI detected suspicious sample
Check if machine is in data center or colocation facility
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses netsh to modify the Windows network and firewall settings
Allocates memory with a write watch (potentially for evading sandboxes)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious DNS Query for IP Lookup Service APIs
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer


  • System is w7x64
  • wssvZm9dNK.exe (PID: 2036 cmdline: "C:\Users\user\Desktop\wssvZm9dNK.exe" MD5: 2C5697F085B66BEC06E28ED6D24EC606)
    • cmd.exe (PID: 2964 cmdline: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All MD5: AD7B9C14083B52BC532FBA5948342B98)
      • chcp.com (PID: 2776 cmdline: chcp 65001 MD5: 4436B1A16BDC58D2B3A5263F042C09B3)
      • netsh.exe (PID: 2712 cmdline: netsh wlan show profile MD5: 784A50A6A09C25F011C3143DDD68E729)
      • findstr.exe (PID: 2120 cmdline: findstr All MD5: 18F02C555FBC9885DF9DB77754D6BB9B)
  • msiexec.exe (PID: 3040 cmdline: C:\Windows\system32\msiexec.exe /V MD5: AC2E7152124CEED36846BD1B6592A00F)
  • cleanup
No configs have been found
00000000.00000002.401019526.00000000026B6000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PXRECVOWEIWOEIYara detected PXRECVOWEIWOEI StealerJoe Security
    00000000.00000002.401019526.00000000023B9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      Process Memory Space: wssvZm9dNK.exe PID: 2036JoeSecurity_PXRECVOWEIWOEIYara detected PXRECVOWEIWOEI StealerJoe Security
        Process Memory Space: wssvZm9dNK.exe PID: 2036JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: wssvZm9dNK.exe PID: 2036JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            Source: DNS queryAuthor: Brandon George (blog post), Thomas Patzke: Data: Image: C:\Users\user\Desktop\wssvZm9dNK.exe, QueryName: icanhazip.com

            Stealing of Sensitive Information

            Source: Process startedAuthor: Joe Security: Data: Command: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, CommandLine: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\wssvZm9dNK.exe", ParentImage: C:\Users\user\Desktop\wssvZm9dNK.exe, ParentProcessId: 2036, ParentProcessName: wssvZm9dNK.exe, ProcessCommandLine: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, ProcessId: 2964, ProcessName: cmd.exe
            No Snort rule has matched

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            Source: wssvZm9dNK.exeAvira: detected
            Source: wssvZm9dNK.exeReversingLabs: Detection: 52%
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Source: wssvZm9dNK.exeJoe Sandbox ML: detected
            Source: unknownHTTPS traffic detected: -> version: TLS 1.0
            Source: unknownHTTPS traffic detected: -> version: TLS 1.2
            Source: wssvZm9dNK.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE