Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
YDW0S5K7hi.exe

Overview

General Information

Sample name:YDW0S5K7hi.exe
renamed because original name is a hash value
Original sample name:078f2f65179647c8a6af688be140138eae827e1f.exe
Analysis ID:1555421
MD5:fe4ee341b4e7e0d03e27893bd6070a3e
SHA1:078f2f65179647c8a6af688be140138eae827e1f
SHA256:fd32b776edd0656ad550b2a4981897515f5f2c793eb3d80da8fcd04f98b12222
Tags:exesilverratuser-NDA0E
Infos:

Detection

SilverRat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected SilverRat
.NET source code contains potential unpacker
AI detected suspicious sample
Contains functionality to log keystrokes (.Net Source)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • YDW0S5K7hi.exe (PID: 7600 cmdline: "C:\Users\user\Desktop\YDW0S5K7hi.exe" MD5: FE4EE341B4E7E0D03E27893BD6070A3E)
    • attrib.exe (PID: 7808 cmdline: "C:\Windows\System32\attrib.exe" +s +h "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver" MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)
      • conhost.exe (PID: 7816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • attrib.exe (PID: 7836 cmdline: "C:\Windows\System32\attrib.exe" +s +h "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exe" MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)
      • conhost.exe (PID: 7860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7924 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp9C90.tmp.bat"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • timeout.exe (PID: 7964 cmdline: timeout 3 MD5: 100065E21CFBBDE57CBA2838921F84D6)
      • $77HelpPanel.exe (PID: 7992 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exe" MD5: FE4EE341B4E7E0D03E27893BD6070A3E)
        • schtasks.exe (PID: 8092 cmdline: "schtasks.exe" /query /TN $77HelpPanel.exe MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • conhost.exe (PID: 8100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • schtasks.exe (PID: 8140 cmdline: "schtasks.exe" /Create /SC ONCE /TN "$77HelpPanel.exe" /TR "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exe \"\$77HelpPanel.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • conhost.exe (PID: 8148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • schtasks.exe (PID: 8188 cmdline: "schtasks.exe" /query /TN $77HelpPanel.exe MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • conhost.exe (PID: 6988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 7328 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit MD5: 04029E121A0CFA5991749937DD22A1D9)
          • conhost.exe (PID: 5088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • WmiPrvSE.exe (PID: 4784 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
        • schtasks.exe (PID: 7400 cmdline: "C:\Windows\System32\schtasks.exe" /create /sc daily /tn "HelpPanel_Task-DAILY-21PM" /TR "%MyFile%" /ST 21:00 MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • conhost.exe (PID: 6336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • $77HelpPanel.exe (PID: 2608 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exe "\$77HelpPanel.exe" /AsAdmin MD5: FE4EE341B4E7E0D03E27893BD6070A3E)
  • cleanup
{"Mutex": "SilverMutex_RxWYRpnqXs", "Host": "109.120.138.54", "Port": "9999", "Relay Connect": "4", "Version": "1.0.0.0", "Discord Url": "https://discord.com/api/webhooks/1306009594367180840/Zg6W2rH_yPNkl7Hn5Z-GWjtm8W94xN_PzceHo8g5RjjoNr4vkRdq1c70arvb91az-VPT"}
SourceRuleDescriptionAuthorStrings
YDW0S5K7hi.exeJoeSecurity_SilverRatYara detected SilverRatJoe Security
    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeJoeSecurity_SilverRatYara detected SilverRatJoe Security
      SourceRuleDescriptionAuthorStrings
      00000000.00000000.1355697494.00000000004B2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_SilverRatYara detected SilverRatJoe Security
        00000000.00000002.1404296493.0000000003E2D000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SilverRatYara detected SilverRatJoe Security
          Process Memory Space: YDW0S5K7hi.exe PID: 7600JoeSecurity_SilverRatYara detected SilverRatJoe Security
            SourceRuleDescriptionAuthorStrings
            0.0.YDW0S5K7hi.exe.4b0000.0.unpackJoeSecurity_SilverRatYara detected SilverRatJoe Security
              0.2.YDW0S5K7hi.exe.3e30b40.0.raw.unpackJoeSecurity_SilverRatYara detected SilverRatJoe Security
                0.2.YDW0S5K7hi.exe.3e30b40.0.unpackJoeSecurity_SilverRatYara detected SilverRatJoe Security

                  System Summary

                  barindex
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit, CommandLine|base64offset|contains: I~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exe" , ParentImage: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exe, ParentProcessId: 7992, ParentProcessName: $77HelpPanel.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit, ProcessId: 7328, ProcessName: powershell.exe
                  Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\YDW0S5K7hi.exe, ProcessId: 7600, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\(Default)
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit, CommandLine|base64offset|contains: I~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exe" , ParentImage: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exe, ParentProcessId: 7992, ParentProcessName: $77HelpPanel.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit, ProcessId: 7328, ProcessName: powershell.exe
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "schtasks.exe" /Create /SC ONCE /TN "$77HelpPanel.exe" /TR "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exe \"\$77HelpPanel.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST, CommandLine: "schtasks.exe" /Create /SC ONCE /TN "$77HelpPanel.exe" /TR "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exe \"\$77HelpPanel.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST, CommandLine|base64offset|contains: *j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exe" , ParentImage: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exe, ParentProcessId: 7992, ParentProcessName: $77HelpPanel.exe, ProcessCommandLine: "schtasks.exe" /Create /SC ONCE /TN "$77HelpPanel.exe" /TR "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exe \"\$77HelpPanel.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST, ProcessId: 8140, ProcessName: schtasks.exe
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "schtasks.exe" /Create /SC ONCE /TN "$77HelpPanel.exe" /TR "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exe \"\$77HelpPanel.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST, CommandLine: "schtasks.exe" /Create /SC ONCE /TN "$77HelpPanel.exe" /TR "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exe \"\$77HelpPanel.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST, CommandLine|base64offset|contains: *j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exe" , ParentImage: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exe, ParentProcessId: 7992, ParentProcessName: $77HelpPanel.exe, ProcessCommandLine: "schtasks.exe" /Create /SC ONCE /TN "$77HelpPanel.exe" /TR "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exe \"\$77HelpPanel.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST, ProcessId: 8140, ProcessName: schtasks.exe
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit, CommandLine|base64offset|contains: I~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exe" , ParentImage: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exe, ParentProcessId: 7992, ParentProcessName: $77HelpPanel.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit, ProcessId: 7328, ProcessName: powershell.exe
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-11-13T21:11:36.230576+010020229301A Network Trojan was detected172.202.163.200443192.168.2.749781TCP
                  2024-11-13T21:12:14.628423+010020229301A Network Trojan was detected172.202.163.200443192.168.2.749981TCP

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Source: YDW0S5K7hi.exeAvira: detected
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeAvira: detection malicious, Label: HEUR/AGEN.1313069
                  Source: YDW0S5K7hi.exeMalware Configuration Extractor: SilverRat {"Mutex": "SilverMutex_RxWYRpnqXs", "Host": "109.120.138.54", "Port": "9999", "Relay Connect": "4", "Version": "1.0.0.0", "Discord Url": "https://discord.com/api/webhooks/1306009594367180840/Zg6W2rH_yPNkl7Hn5Z-GWjtm8W94xN_PzceHo8g5RjjoNr4vkRdq1c70arvb91az-VPT"}
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeReversingLabs: Detection: 60%
                  Source: YDW0S5K7hi.exeReversingLabs: Detection: 60%
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeJoe Sandbox ML: detected
                  Source: YDW0S5K7hi.exeJoe Sandbox ML: detected
                  Source: YDW0S5K7hi.exeString decryptor: -|S.S.S|-
                  Source: YDW0S5K7hi.exeString decryptor: 109.120.138.54
                  Source: YDW0S5K7hi.exeString decryptor: 9999
                  Source: YDW0S5K7hi.exeString decryptor: https://discord.com/api/webhooks/1306009594367180840/Zg6W2rH_yPNkl7Hn5Z-GWjtm8W94xN_PzceHo8g5RjjoNr4vkRdq1c70arvb91az-VPT
                  Source: YDW0S5K7hi.exeString decryptor: https://g.top4top.io/p_2522c7w8u1.png
                  Source: unknownHTTPS traffic detected: 162.159.137.232:443 -> 192.168.2.7:49760 version: TLS 1.2
                  Source: YDW0S5K7hi.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE