Windows
Analysis Report
file.exe
Overview
General Information
Detection
WhiteSnake Stealer
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for domain / URL
Sigma detected: Capture Wi-Fi password
Suricata IDS alerts for network traffic
Yara detected WhiteSnake Stealer
.NET source code contains very large strings
.NET source code references suspicious native API functions
AI detected suspicious sample
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Self deletion via cmd or bat file
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses netsh to modify the Windows network and firewall settings
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Enables driver privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Communication To Uncommon Destination Ports
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Classification
- System is w10x64
file.exe (PID: 7260 cmdline:
"C:\Users\ user\Deskt op\file.ex e" MD5: C426F46F2C074EDA8C903F9868BE046D) cmd.exe (PID: 7436 cmdline:
"cmd.exe" /c chcp 65 001 && net sh wlan sh ow profile s|findstr /R /C:"[ ] :[ ]" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) conhost.exe (PID: 7472 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) chcp.com (PID: 7640 cmdline:
chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32) netsh.exe (PID: 7684 cmdline:
netsh wlan show prof iles MD5: 6F1E6DD688818BC3D1391D0CC7D597EB) findstr.exe (PID: 7692 cmdline:
findstr /R /C:"[ ]:[ ]" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5) cmd.exe (PID: 7736 cmdline:
"cmd.exe" /c chcp 65 001 && net sh wlan sh ow network s mode=bss id | finds tr "SSID B SSID Signa l" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) conhost.exe (PID: 7744 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) chcp.com (PID: 7780 cmdline:
chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32) netsh.exe (PID: 7796 cmdline:
netsh wlan show netw orks mode= bssid MD5: 6F1E6DD688818BC3D1391D0CC7D597EB) findstr.exe (PID: 7812 cmdline:
findstr "S SID BSSID Signal" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5) cmd.exe (PID: 7972 cmdline:
"C:\Window s\System32 \cmd.exe" /C chcp 65 001 && tim eout /t 3 > NUL && D EL /F /S / Q /A "C:\U sers\user\ Desktop\fi le.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) conhost.exe (PID: 7980 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) chcp.com (PID: 8020 cmdline:
chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32) timeout.exe (PID: 8036 cmdline:
timeout /t 3 MD5: 100065E21CFBBDE57CBA2838921F84D6)
- cleanup
{"Version": "1.6.3.5", "Telegram Token": "7720988404:AAHJ1d0so4FzXOrfQavDsW60uUFev7BQSjU", "Telegram chatid": "1660795749", "C2 urls": ["http://147.124.221.201:8080"]}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_WhiteSnake | Yara detected WhiteSnake Stealer | Joe Security |
System Summary |
---|
Source: | Author: Jonathan Cheong, oscd.community: |
Source: | Author: Jonathan Cheong, oscd.community: |
Source: | Author: Florian Roth (Nextron Systems): |
Stealing of Sensitive Information |
---|
Source: | Author: Joe Security: |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-11-07T03:07:01.191138+0100 | 2050602 | 1 | A Network Trojan was detected | 192.168.2.4 | 49731 | 147.124.221.201 | 8080 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-11-07T03:07:01.140283+0100 | 2050601 | 1 | A Network Trojan was detected | 192.168.2.4 | 49731 | 147.124.221.201 | 8080 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira: |
Source: | Malware Configuration Extractor: |
Source: | Virustotal: | Perma Link |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: |
Source: | Code function: | 0_2_00007FFD9B8A7A21 | |
Source: | Code function: | 0_2_00007FFD9B8A7B6D |