Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1550690
MD5:c426f46f2c074eda8c903f9868be046d
SHA1:d0352482370beff107eb2b2f13e2de275fbc91c7
SHA256:7cba781d569196e89a86f10cee7d69918fe05df1461d1f0ed3426ccb2046002e
Tags:exeuser-Bitsight
Infos:

Detection

WhiteSnake Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for domain / URL
Sigma detected: Capture Wi-Fi password
Suricata IDS alerts for network traffic
Yara detected WhiteSnake Stealer
.NET source code contains very large strings
.NET source code references suspicious native API functions
AI detected suspicious sample
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Self deletion via cmd or bat file
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses netsh to modify the Windows network and firewall settings
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Enables driver privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Communication To Uncommon Destination Ports
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

  • System is w10x64
  • file.exe (PID: 7260 cmdline: "C:\Users\user\Desktop\file.exe" MD5: C426F46F2C074EDA8C903F9868BE046D)
    • cmd.exe (PID: 7436 cmdline: "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • chcp.com (PID: 7640 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
      • netsh.exe (PID: 7684 cmdline: netsh wlan show profiles MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
      • findstr.exe (PID: 7692 cmdline: findstr /R /C:"[ ]:[ ]" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
    • cmd.exe (PID: 7736 cmdline: "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • chcp.com (PID: 7780 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
      • netsh.exe (PID: 7796 cmdline: netsh wlan show networks mode=bssid MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
      • findstr.exe (PID: 7812 cmdline: findstr "SSID BSSID Signal" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
    • cmd.exe (PID: 7972 cmdline: "C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && DEL /F /S /Q /A "C:\Users\user\Desktop\file.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • chcp.com (PID: 8020 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
      • timeout.exe (PID: 8036 cmdline: timeout /t 3 MD5: 100065E21CFBBDE57CBA2838921F84D6)
  • cleanup
{"Version": "1.6.3.5", "Telegram Token": "7720988404:AAHJ1d0so4FzXOrfQavDsW60uUFev7BQSjU", "Telegram chatid": "1660795749", "C2 urls": ["http://147.124.221.201:8080"]}
SourceRuleDescriptionAuthorStrings
Process Memory Space: file.exe PID: 7260JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    Process Memory Space: file.exe PID: 7260JoeSecurity_WhiteSnakeYara detected WhiteSnake StealerJoe Security

      System Summary

      barindex
      Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]", CommandLine: "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 7260, ParentProcessName: file.exe, ProcessCommandLine: "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]", ProcessId: 7436, ProcessName: cmd.exe
      Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]", CommandLine: "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 7260, ParentProcessName: file.exe, ProcessCommandLine: "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]", ProcessId: 7436, ProcessName: cmd.exe
      Source: Network ConnectionAuthor: Florian Roth (Nextron Systems): Data: DestinationIp: 147.124.221.201, DestinationIsIpv6: false, DestinationPort: 8080, EventID: 3, Image: C:\Users\user\Desktop\file.exe, Initiated: true, ProcessId: 7260, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49731

      Stealing of Sensitive Information

      barindex
      Source: Process startedAuthor: Joe Security: Data: Command: "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]", CommandLine: "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 7260, ParentProcessName: file.exe, ProcessCommandLine: "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]", ProcessId: 7436, ProcessName: cmd.exe
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-11-07T03:07:01.191138+010020506021A Network Trojan was detected192.168.2.449731147.124.221.2018080TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-11-07T03:07:01.140283+010020506011A Network Trojan was detected192.168.2.449731147.124.221.2018080TCP

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Source: file.exeAvira: detected
      Source: 00000000.00000002.1710856387.000001D7A7311000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: WhiteSnake {"Version": "1.6.3.5", "Telegram Token": "7720988404:AAHJ1d0so4FzXOrfQavDsW60uUFev7BQSjU", "Telegram chatid": "1660795749", "C2 urls": ["http://147.124.221.201:8080"]}
      Source: http://185.217.98.121:80Virustotal: Detection: 12%Perma Link
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
      Source: file.exeJoe Sandbox ML: detected
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FFD9B8A7A21 CryptUnprotectData,0_2_00007FFD9B8A7A21
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FFD9B8A7B6D CryptUnprotectData,0_2_00007FFD9B8A7B6D