Windows
Analysis Report
hvqc3lk7ly.exe
Overview
General Information
Sample name: | hvqc3lk7ly.exerenamed because original name is a hash value |
Original sample name: | 177a970a8a6c5e5e6b5c04c40bf3fe1c.exe |
Analysis ID: | 1574860 |
MD5: | 177a970a8a6c5e5e6b5c04c40bf3fe1c |
SHA1: | 64709ca99a03f416a854817427d4543043e204ad |
SHA256: | 2a06b6535a0057b961f41e9b0790ffbc6f540566f2c21ae66cee4b61f5a360eb |
Tags: | exeuser-abuse_ch |
Infos: | |
Detection
Discord Token Stealer, DotStealer
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Discord Token Stealer
Yara detected DotStealer
Yara detected Telegram RAT
Yara detected Telegram Recon
.NET source code contains potential unpacker
AI detected suspicious sample
Contains functionality to capture screen (.Net source)
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Self deletion via cmd or bat file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses the Telegram API (likely for C&C communication)
Yara detected Costura Assembly Loader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Classification
- System is w10x64
hvqc3lk7ly.exe (PID: 6812 cmdline:
"C:\Users\ user\Deskt op\hvqc3lk 7ly.exe" MD5: 177A970A8A6C5E5E6B5C04C40BF3FE1C) cmd.exe (PID: 7088 cmdline:
"C:\Window s\System32 \cmd.exe" /C C:\User s\user\App Data\Local \Temp\tmp2 A4E.tmp.ba t & Del C: \Users\use r\AppData\ Local\Temp \tmp2A4E.t mp.bat MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) conhost.exe (PID: 7100 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
{"C2 url": "https://api.telegram.org/bot8137653339:AAG5i0WFhwI1I4U5IchQ2c9wOIxNBiamQsk/sendMessage"}
{"Telegram Token": "8137653339:AAG5i0WFhwI1I4U5IchQ2c9wOIxNBiamQsk", "Telegram Chatid": "6518356118", "StartDelay": "0", "RegistryKey": "GlobalIrisService", "BrAgressive": "true", "TgData": "true", "Metamask": "true", "Exodus": "true", "grabDesktop": "true", "MeltFile": "true", "PreventStartOnVirtualMachine": "true", "NoInstall": "true"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_TelegramRecon | Yara detected Telegram Recon | Joe Security | ||
JoeSecurity_DiscordTokenStealer | Yara detected Discord Token Stealer | Joe Security | ||
JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
JoeSecurity_DotStealer | Yara detected DotStealer | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
Click to see the 1 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_DotStealer | Yara detected DotStealer | Joe Security | ||
JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
JoeSecurity_DiscordTokenStealer | Yara detected Discord Token Stealer | Joe Security | ||
JoeSecurity_DiscordTokenStealer | Yara detected Discord Token Stealer | Joe Security | ||
JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
Click to see the 8 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_DiscordTokenStealer | Yara detected Discord Token Stealer | Joe Security | ||
JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
JoeSecurity_DotStealer | Yara detected DotStealer | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_TelegramRAT | Yara detected Telegram RAT | Joe Security | ||
Click to see the 10 entries |
⊘No Sigma rule has matched
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-12-13T17:48:25.482177+0100 | 2039009 | 1 | A Network Trojan was detected | 149.154.167.220 | 443 | 192.168.2.12 | 49715 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-12-13T17:48:19.988848+0100 | 2803305 | 3 | Unknown Traffic | 192.168.2.12 | 49713 | 208.95.112.1 | 80 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-12-13T17:48:24.562020+0100 | 2843856 | 1 | A Network Trojan was detected | 192.168.2.12 | 49715 | 149.154.167.220 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Malware Configuration Extractor: | ||
Source: | Malware Configuration Extractor: |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: |
Source: | Code function: | 0_2_00007FFE73450B50 | |
Source: | Code function: | 0_2_00007FFE73419020 | |
Source: | Code function: | 0_2_00007FFE73418FE0 | |
Source: | Code function: | 0_2_00007FFE73418DC0 |
Source: | Static PE information: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | 0_2_00007FFE73411DB0 |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Networking |
---|
Source: | Suricata IDS: | ||
Source: | Suricata IDS: |
Source: | DNS query: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | IP Address: | ||
Source: | IP Address: |
Source: | JA3 fingerprint: |
Source: | DNS |