Windows
Analysis Report
www.italialife24.it.exe
Overview
General Information
Detection
AZORult++, KoiLoader
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Contains functionality to bypass UAC (CMSTPLUA)
Detected AZORult++ Trojan
Detected unpacking (creates a PE file in dynamic memory)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected KoiLoader
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contain functionality to detect virtual machines
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Found evasive API chain (may stop execution after checking locale)
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for sample
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Program does not show much activity (idle)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match
Classification
- System is w10x64
www.italialife24.it.exe (PID: 7400 cmdline:
"C:\Users\ user\Deskt op\www.ita lialife24. it.exe" MD5: 0F744F4AAA3157117ED49660FF19C0BE)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Koi Loader | No Attribution |
{"C2": "http://195.123.217.43/oversate.php", "Payload url": "https://www.italialife24.it/wp-content/uploads/2021/05"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_KoiLoader_1 | Yara detected KoiLoader | Joe Security | ||
JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
JoeSecurity_KoiLoader_1 | Yara detected KoiLoader | Joe Security | ||
JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
JoeSecurity_KoiLoader_1 | Yara detected KoiLoader | Joe Security | ||
Click to see the 1 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_KoiLoader_1 | Yara detected KoiLoader | Joe Security | ||
JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
JoeSecurity_KoiLoader_1 | Yara detected KoiLoader | Joe Security | ||
JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM | Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) | ditekSHen |
| |
Click to see the 3 entries |
⊘No Sigma rule has matched
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira: |
Source: | Malware Configuration Extractor: |
Source: | ReversingLabs: |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: |
Source: | Code function: | 0_2_00608710 | |
Source: | Code function: | 0_2_006093A0 |
Exploits |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Privilege Escalation |
---|
Source: | Code function: | 0_2_00607300 |
Compliance |
---|
Source: | Unpacked PE file: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Code function: | 0_2_004B993E | |
Source: | Code function: | 0_2_006089F0 |
Networking |
---|
Source: | URLs: |
Source: | Code function: | 0_2_00606850 |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
E-Banking Fraud |
---|
Source: | Code function: | 0_2_00609240 |
System Summary |
---|
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Code function: | 0_2_00605C90 | |
Source: | Code function: | 0_2_00605FF0 |
Source: | Code function: | 0_2_004BFBC1 | |
Source: | Code function: | 0_2_00607C30 | |
Source: | Code function: | 0_2_006026D0 | |
Source: | Code function: | 0_2_00607730 | |
Source: | Code function: | 0_2_006043F0 | |
Source: | Code function: | 0_2_006047F0 |
Source: | Static PE information: |
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Classification label: |
Source: | Code function: | 0_2_00606390 |
Source: | Code function: | 0_2_00606C80 |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | ReversingLabs: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Data Obfuscation |
---|
Source: | Unpacked PE file: |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Code function: | 0_2_004B1300 |
Source: | Code function: | 0_2_004C02E4 |
Malware Analysis System Evasion |
---|
Source: | Code function: | 0_2_006089F0 |
Source: | Code function: | 0_2_006089F0 |
Source: | Evasive API call chain: | graph_0-11363 |
Source: | Evasive API call chain: | graph_0-11544 |
Source: | File opened / queried: | Jump to behavior |
Source: | API coverage: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Code function: | 0_2_004B993E | |
Source: | Code function: | 0_2_006089F0 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | API call chain: | graph_0-11462 | ||
Source: | API call chain: | graph_0-11680 |
Source: | Code function: | 0_2_004B76CB |
Source: | Code function: | 0_2_004B1300 |
Source: | Code function: | 0_2_004B1710 | |
Source: | Code function: | 0_2_00607940 | |
Source: | Code function: | 0_2_00605FF0 |
Source: | Code function: | 0_2_004BB779 |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Code function: | 0_2_004B5016 | |
Source: | Code function: | 0_2_004B49BE | |
Source: | Code function: | 0_2_004B76CB | |
Source: | Code function: | 0_2_004B4E89 |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | Code function: | 0_2_00605C90 |
Source: | Code function: | 0_2_006094A0 | |
Source: | Code function: | 0_2_006094A0 | |
Source: | Code function: | 0_2_006094A0 |
Source: | Code function: | 0_2_004B5125 |
Source: | Code function: | 0_2_004B4D70 |
Source: | Code function: | 0_2_006089F0 |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 21 Native API | 1 DLL Side-Loading | 1 Access Token Manipulation | 21 Virtualization/Sandbox Evasion | OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | 2 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 11 Process Injection | 1 Access Token Manipulation | LSASS Memory | 231 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Ingress Tool Transfer | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | 1 DLL Side-Loading | 11 Process Injection | Security Account Manager | 21 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | 1 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | 1 Bypass User Account Control | 1 Deobfuscate/Decode Files or Information | NTDS | 1 Account Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 2 Obfuscated Files or Information | LSA Secrets | 1 System Owner/User Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 Software Packing | Cached Domain Credentials | 1 File and Directory Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 1 DLL Side-Loading | DCSync | 112 System Information Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | 1 Bypass User Account Control | Proc Filesystem | System Owner/User Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |