Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
A0cYOljhtv.exe

Overview

General Information

Sample name:A0cYOljhtv.exe
renamed because original name is a hash value
Original sample name:83b591f5ea6d9131d736b8fbf255ff5f691d84ad8625778f959295764575067e.exe
Analysis ID:1556510
MD5:5a8ebbdc35e6a3caecfa66340826e192
SHA1:0969613872152b004fe0bcb876ac384782ce8f4f
SHA256:83b591f5ea6d9131d736b8fbf255ff5f691d84ad8625778f959295764575067e
Tags:exeUrelasuser-JAMESWT_MHT
Infos:

Detection

Urelas
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Urelas
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Machine Learning detection for dropped file
Machine Learning detection for sample
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Drops PE files
Entry point lies outside standard sections
Found evaded block containing many API calls
Found evasive API chain (may stop execution after checking a module file name)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion NT Autorun Keys Modification
Sigma detected: Use Short Name Path in Command Line
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • A0cYOljhtv.exe (PID: 4348 cmdline: "C:\Users\user\Desktop\A0cYOljhtv.exe" MD5: 5A8EBBDC35E6A3CAECFA66340826E192)
    • shoste.exe (PID: 1196 cmdline: "C:\Users\user~1\AppData\Local\Temp\shoste.exe" MD5: 7FED5B8CF3EE76D62566D7C80BEB528D)
    • cmd.exe (PID: 1792 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user~1\AppData\Local\Temp\sanfdr.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

Threatname: Urelas

{"C2 url": ["218.54.28.139", "121.88.5.183"], "Drop filename": ["histe", "shoste"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1285834333.0000000000841000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_UrelasYara detected UrelasJoe Security
    00000008.00000002.1486563563.00000000008B1000.00000040.00000001.01000000.00000005.sdmpJoeSecurity_UrelasYara detected UrelasJoe Security

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.A0cYOljhtv.exe.840000.0.unpackJoeSecurity_UrelasYara detected UrelasJoe Security
        8.2.shoste.exe.8b0000.0.unpackJoeSecurity_UrelasYara detected UrelasJoe Security

          Sigma Signatures

          Sigma detected: CurrentVersion NT Autorun Keys Modification
          Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user~1\AppData\Local\Temp\shoste.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\A0cYOljhtv.exe, ProcessId: 4348, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Run
          Sigma detected: Use Short Name Path in Command Line
          Source: Process startedAuthor: frack113, Nasreddine Bencherchali: Data: Command: "C:\Users\user~1\AppData\Local\Temp\shoste.exe" , CommandLine: "C:\Users\user~1\AppData\Local\Temp\shoste.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\shoste.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\shoste.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\shoste.exe, ParentCommandLine: "C:\Users\user\Desktop\A0cYOljhtv.exe", ParentImage: C:\Users\user\Desktop\A0cYOljhtv.exe, ParentProcessId: 4348, ParentProcessName: A0cYOljhtv.exe, ProcessCommandLine: "C:\Users\user~1\AppData\Local\Temp\shoste.exe" , ProcessId: 1196, ProcessName: shoste.exe

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-11-15T14:57:21.415274+010028049231Malware Command and Control Activity Detected192.168.2.749700121.88.5.18311120TCP
          2024-11-15T14:57:29.909899+010028049231Malware Command and Control Activity Detected192.168.2.749717121.88.5.18411170TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus / Scanner detection for submitted sample
          Source: A0cYOljhtv.exeAvira: detected
          Antivirus detection for dropped file
          Source: C:\Users\user\AppData\Local\Temp\shoste.exeAvira: detection malicious, Label: BDS/Backdoor.Gen7
          Found malware configuration
          Source: golfinfo.ini.0.drMalware Configuration Extractor: Urelas {"C2 url": ["218.54.28.139", "121.88.5.183"], "Drop filename": ["histe", "shoste"]}
          Multi AV Scanner detection for submitted file
          Source: A0cYOljhtv.exeReversingLabs: Detection: 89%
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for dropped file
          Source: C:\Users\user\AppData\Local\Temp\shoste.exeJoe Sandbox ML: detected
          Machine Learning detection for sample
          Source: A0cYOljhtv.exeJoe Sandbox ML: detected
          Source: A0cYOljhtv.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: A0cYOljhtv.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

          Networking

          barindex
          Suricata IDS alerts for network traffic
          Source: Network trafficSuricata IDS: 2804923 - Severity 1 - ETPRO MALWARE Rootkit.Win32.Bootkor.ha CnC Traffic : 192.168.2.7:49717 -> 121.88.5.184:11170
          Source: Network trafficSuricata IDS: 2804923 - Severity 1 - ETPRO MALWARE Rootkit.Win32.Bootkor.ha CnC Traffic : 192.168.2.7:49700 -> 121.88.5.183:11120
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorIPs: 218.54.28.139
          Source: Malware configuration extractorIPs: 121.88.5.183
          Source: global trafficTCP traffic: 192.168.2.7:49700 -> 121.88.5.183:11120
          Source: global trafficTCP traffic: 192.168.2.7:49717 -> 121.88.5.184:11170
          Source: Joe Sandbox ViewASN Name: CNM-AS-KRDLIVEKR CNM-AS-KRDLIVEKR
          Source: Joe Sandbox ViewASN Name: CNM-AS-KRDLIVEKR CNM-AS-KRDLIVEKR
          Source: Joe Sandbox ViewASN Name: SKB-ASSKBroadbandCoLtdKR SKB-ASSKBroadbandCoLtdKR
          Source: unknownTCP traffic detected without corresponding DNS query: 121.88.5.183
          Source: unknownTCP traffic detected without corresponding DNS query: 121.88.5.183
          Source: unknownTCP traffic detected without corresponding DNS query: 121.88.5.183
          Source: unknownTCP traffic detected without corresponding DNS query: 121.88.5.183
          Source: unknownTCP traffic detected without corresponding DNS query: 121.88.5.183
          Source: unknownTCP traffic detected without corresponding DNS query: 121.88.5.184
          Source: unknownTCP traffic detected without corresponding DNS query: 121.88.5.184
          Source: unknownTCP traffic detected without corresponding DNS query: 121.88.5.184
          Source: unknownTCP traffic detected without corresponding DNS query: 121.88.5.184
          Source: unknownTCP traffic detected without corresponding DNS query: 121.88.5.184
          Source: unknownTCP traffic detected without corresponding DNS query: 121.88.5.184
          Source: C:\Users\user\Desktop\A0cYOljhtv.exeCode function: 0_2_008443C9 recv,_memmove,0_2_008443C9
          Source: C:\Users\user\Desktop\A0cYOljhtv.exeCode function: 0_2_00842E60: CreateFileW,DeviceIoControl,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,CloseHandle,0_2_00842E60
          Source: C:\Users\user\AppData\Local\Temp\shoste.exeCode function: String function: 008B7650 appears 31 times
          Source: C:\Users\user\Desktop\A0cYOljhtv.exeCode function: String function: 00847650 appears 31 times
          Source: A0cYOljhtv.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/3@0/3
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2020:120:WilError_03
          Source: C:\Users\user\Desktop\A0cYOljhtv.exeFile created: C:\Users\user~1\AppData\Local\Temp\golfinfo.iniJump to behavior
          Source: C:\Users\user\Desktop\A0cYOljhtv.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user~1\AppData\Local\Temp\sanfdr.bat" "
          Source: C:\Users\user\Desktop\A0cYOljhtv.exeCommand line argument: Foilde0_2_00841000
          Source: C:\Users\user\Desktop\A0cYOljhtv.exeCommand line argument: Foilde0_2_00841000
          Source: C:\Users\user\Desktop\A0cYOljhtv.exeCommand line argument: 218.54.31.2260_2_00841000
          Source: C:\Users\user\Desktop\A0cYOljhtv.exeCommand line argument: tmp5RST.exe0_2_00841000
          Source: C:\Users\user\AppData\Local\Temp\shoste.exeCommand line argument: Foilde8_2_008B1000
          Source: C:\Users\user\AppData\Local\Temp\shoste.exeCommand line argument: Foilde8_2_008B1000
          Source: C:\Users\user\AppData\Local\Temp\shoste.exeCommand line argument: 121.88.5.1838_2_008B1000
          Source: C:\Users\user\AppData\Local\Temp\shoste.exeCommand line argument: tmp5RST.exe8_2_008B1000
          Source: C:\Users\user\AppData\Local\Temp\shoste.exeCommand line argument: tmp5RST.exe8_2_008B1000
          Source: C:\Users\user\AppData\Local\Temp\shoste.exeCommand line argument: tmp5RST.exe8_2_008B1000
          Source: C:\Users\user\Desktop\A0cYOljhtv.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\A0cYOljhtv.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: A0cYOljhtv.exeReversingLabs: Detection: 89%
          Source: C:\Users\user\Desktop\A0cYOljhtv.exeFile read: C:\Users\user\Desktop\A0cYOljhtv.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\A0cYOljhtv.exe "C:\Users\user\Desktop\A0cYOljhtv.exe"
          Source: C:\Users\user\Desktop\A0cYOljhtv.exeProcess created: C:\Users\user\AppData\Local\Temp\shoste.exe "C:\Users\user~1\AppData\Local\Temp\shoste.exe"
          Source: C:\Users\user\Desktop\A0cYOljhtv.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user~1\AppData\Local\Temp\sanfdr.bat" "
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\A0cYOljhtv.exeProcess created: C:\Users\user\AppData\Local\Temp\shoste.exe "C:\Users\user~1\AppData\Local\Temp\shoste.exe" Jump to behavior
          Source: C:\Users\user\Desktop\A0cYOljhtv.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user~1\AppData\Local\Temp\sanfdr.bat" "Jump to behavior
          Source: C:\Users\user\Desktop\A0cYOljhtv.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\A0cYOljhtv.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\A0cYOljhtv.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\A0cYOljhtv.exeSection loaded: textshaping.dllJump to behavior
          Source: C:\Users\user\Desktop\A0cYOljhtv.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\A0cYOljhtv.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\A0cYOljhtv.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\A0cYOljhtv.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Users\user\Desktop\A0cYOljhtv.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\A0cYOljhtv.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Users\user\Desktop\A0cYOljhtv.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Users\user\Desktop\A0cYOljhtv.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\Desktop\A0cYOljhtv.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Users\user\Desktop\A0cYOljhtv.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\Desktop\A0cYOljhtv.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Users\user\Desktop\A0cYOljhtv.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\A0cYOljhtv.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\A0cYOljhtv.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Users\user\Desktop\A0cYOljhtv.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Users\user\Desktop\A0cYOljhtv.exeSection loaded: slc.dllJump to behavior
          Source: C:\Users\user\Desktop\A0cYOljhtv.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\A0cYOljhtv.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Users\user\Desktop\A0cYOljhtv.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Users\user\Desktop\A0cYOljhtv.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\shoste.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\shoste.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\shoste.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\shoste.exeSection loaded: textshaping.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\shoste.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\shoste.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\shoste.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\shoste.exeSection loaded: napinsp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\shoste.exeSection loaded: pnrpnsp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\shoste.exeSection loaded: wshbth.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\shoste.exeSection loaded: nlaapi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\shoste.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\shoste.exeSection loaded: winrnr.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\shoste.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\shoste.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\shoste.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\shoste.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\shoste.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\shoste.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
          Source: C:\Users\user\Desktop\A0cYOljhtv.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\A0cYOljhtv.exeFile written: C:\Users\user\AppData\Local\Temp\golfinfo.iniJump to behavior