Edit tour
Windows
Analysis Report
wssvZm9dNK.exe
Overview
General Information
Sample name: | wssvZm9dNK.exerenamed because original name is a hash value |
Original sample name: | 2c5697f085b66bec06e28ed6d24ec606.exe |
Analysis ID: | 1461765 |
MD5: | 2c5697f085b66bec06e28ed6d24ec606 |
SHA1: | a3910a0f75b328f996983847cfdcc5df85520e98 |
SHA256: | 432dc35a995a5ba33b1f3887b3cc7804fcc3d5d2b1d4aec2664acaf20cb11bad |
Infos: | |
Detection
PXRECVOWEIWOEI Stealer
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Yara detected AntiVM3
Yara detected PXRECVOWEIWOEI Stealer
.NET source code contains potential unpacker
AI detected suspicious sample
Check if machine is in data center or colocation facility
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses netsh to modify the Windows network and firewall settings
Allocates memory with a write watch (potentially for evading sandboxes)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious DNS Query for IP Lookup Service APIs
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Classification
- System is w7x64
- wssvZm9dNK.exe (PID: 2036 cmdline:
"C:\Users\ user\Deskt op\wssvZm9 dNK.exe" MD5: 2C5697F085B66BEC06E28ED6D24EC606) - cmd.exe (PID: 2964 cmdline:
"cmd.exe" /C chcp 65 001 && net sh wlan sh ow profile | findstr All MD5: AD7B9C14083B52BC532FBA5948342B98) - chcp.com (PID: 2776 cmdline:
chcp 65001 MD5: 4436B1A16BDC58D2B3A5263F042C09B3) - netsh.exe (PID: 2712 cmdline:
netsh wlan show prof ile MD5: 784A50A6A09C25F011C3143DDD68E729) - findstr.exe (PID: 2120 cmdline:
findstr Al l MD5: 18F02C555FBC9885DF9DB77754D6BB9B)
- msiexec.exe (PID: 3040 cmdline:
C:\Windows \system32\ msiexec.ex e /V MD5: AC2E7152124CEED36846BD1B6592A00F)
- cleanup
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_PXRECVOWEIWOEI | Yara detected PXRECVOWEIWOEI Stealer | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_PXRECVOWEIWOEI | Yara detected PXRECVOWEIWOEI Stealer | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security |
Source: | Author: Brandon George (blog post), Thomas Patzke: |
Stealing of Sensitive Information |
---|
Source: | Author: Joe Security: |
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira: |
Source: | ReversingLabs: |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: |
Source: | HTTPS traffic detected: |
Source: | HTTPS traffic detected: |
Source: | Static PE information: |