Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
e2mzbWePHw.exe

Overview

General Information

Sample name:e2mzbWePHw.exe
renamed because original name is a hash value
Original sample name:23b25ce90f70ffa0435db8df6a6764f2.exe
Analysis ID:1569819
MD5:23b25ce90f70ffa0435db8df6a6764f2
SHA1:72d0c052f26309704f13c090495c3cdea4ed1bf2
SHA256:9165705656ffe7608922ff366357e3b98b0e5ece8c6d39780874c7b4bd7b2dd3
Tags:exeuser-abuse_ch
Infos:

Detection

Discord Token Stealer, Millenuim RAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Discord Token Stealer
Yara detected Millenuim RAT
Yara detected Telegram RAT
Yara detected Telegram Recon
.NET source code contains potential unpacker
AI detected suspicious sample
Contains functionality to capture screen (.Net source)
Contains functionality to log keystrokes (.Net Source)
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses cmd line tools excessively to alter registry or file data
Uses the Telegram API (likely for C&C communication)
Yara detected Costura Assembly Loader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • e2mzbWePHw.exe (PID: 7308 cmdline: "C:\Users\user\Desktop\e2mzbWePHw.exe" MD5: 23B25CE90F70FFA0435DB8DF6A6764F2)
    • cmd.exe (PID: 7560 cmdline: "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmpED0E.tmp.bat & Del C:\Users\user\AppData\Local\Temp\tmpED0E.tmp.bat MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • chcp.com (PID: 7616 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
      • tasklist.exe (PID: 7632 cmdline: Tasklist /fi "PID eq 7308" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • find.exe (PID: 7648 cmdline: find ":" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)
      • timeout.exe (PID: 7676 cmdline: Timeout /T 1 /Nobreak MD5: 100065E21CFBBDE57CBA2838921F84D6)
      • tasklist.exe (PID: 7696 cmdline: Tasklist /fi "PID eq 7308" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • find.exe (PID: 7704 cmdline: find ":" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)
      • timeout.exe (PID: 7740 cmdline: Timeout /T 1 /Nobreak MD5: 100065E21CFBBDE57CBA2838921F84D6)
      • Update.exe (PID: 7760 cmdline: "C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe" MD5: 23B25CE90F70FFA0435DB8DF6A6764F2)
        • cmd.exe (PID: 7960 cmdline: "C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 7972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • reg.exe (PID: 8012 cmdline: reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)
  • Update.exe (PID: 8172 cmdline: "C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe" MD5: 23B25CE90F70FFA0435DB8DF6A6764F2)
    • cmd.exe (PID: 6988 cmdline: "C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 5524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • reg.exe (PID: 4920 cmdline: reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)
  • Update.exe (PID: 6584 cmdline: "C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe" MD5: 23B25CE90F70FFA0435DB8DF6A6764F2)
  • cleanup