Windows
Analysis Report
7FEGBYFBHFBJH32.exe
Overview
General Information
Detection
44Caliber Stealer, BlackGuard, Rags Stealer
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected 44Caliber Stealer
Yara detected BlackGuard
Yara detected Rags Stealer
AI detected suspicious sample
Contains functionality to capture screen (.Net source)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64
7FEGBYFBHFBJH32.exe (PID: 7416 cmdline:
"C:\Users\ user\Deskt op\7FEGBYF BHFBJH32.e xe" MD5: 5FD5700F4787F405BC2A0FC6E6233037) WerFault.exe (PID: 7580 cmdline:
C:\Windows \system32\ WerFault.e xe -u -p 7 416 -s 170 0 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
BlackGuard | According to Zscaler, BlackGuard has the capability to steal all types of information related to Crypto wallets, VPN, Messengers, FTP credentials, saved browser credentials, and email clients. | No Attribution |
{"Discord Webhook": "https://discord.com/api/webhooks/1324061351169101927/Upg-sOh6FXJYwbAsqIx2PTZdfYr6z3JtFkd-CN6KxlCaM74dpejrx9TbGUYSk03-Cb92\u0001123321"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_BlackGuard | Yara detected BlackGuard | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
JoeSecurity_RagsStealer | Yara detected Rags Stealer | Joe Security | ||
JoeSecurity_44CaliberStealer | Yara detected 44Caliber Stealer | Joe Security | ||
Click to see the 5 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_BlackGuard | Yara detected BlackGuard | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_RagsStealer | Yara detected Rags Stealer | Joe Security | ||
JoeSecurity_44CaliberStealer | Yara detected 44Caliber Stealer | Joe Security | ||
INDICATOR_SUSPICIOUS_EXE_Discord_Regex | Detects executables referencing Discord tokens regular expressions | ditekSHen |
| |
Click to see the 7 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_BlackGuard | Yara detected BlackGuard | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
JoeSecurity_RagsStealer | Yara detected Rags Stealer | Joe Security | ||
JoeSecurity_44CaliberStealer | Yara detected 44Caliber Stealer | Joe Security | ||
Click to see the 5 entries |
⊘No Sigma rule has matched
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira: |
Source: | Malware Configuration Extractor: |
Source: | Virustotal: | Perma Link |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: |
Location Tracking |
---|
Source: | DNS query: |