Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
7FEGBYFBHFBJH32.exe

Overview

General Information

Sample name:7FEGBYFBHFBJH32.exe
Analysis ID:1583097
MD5:5fd5700f4787f405bc2a0fc6e6233037
SHA1:ba4e438f6976803a6965fb5dd7187a9f0674e4c8
SHA256:a680029a0a1bd1aa336b5e4086104f21f2a97b054e6fb1b9fb122ed32786ce12
Tags:exeuser-aachum
Infos:

Detection

44Caliber Stealer, BlackGuard, Rags Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected 44Caliber Stealer
Yara detected BlackGuard
Yara detected Rags Stealer
AI detected suspicious sample
Contains functionality to capture screen (.Net source)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

  • System is w10x64
  • 7FEGBYFBHFBJH32.exe (PID: 7416 cmdline: "C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe" MD5: 5FD5700F4787F405BC2A0FC6E6233037)
    • WerFault.exe (PID: 7580 cmdline: C:\Windows\system32\WerFault.exe -u -p 7416 -s 1700 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup
{"Discord Webhook": "https://discord.com/api/webhooks/1324061351169101927/Upg-sOh6FXJYwbAsqIx2PTZdfYr6z3JtFkd-CN6KxlCaM74dpejrx9TbGUYSk03-Cb92\u0001123321"}
SourceRuleDescriptionAuthorStrings
7FEGBYFBHFBJH32.exeJoeSecurity_BlackGuardYara detected BlackGuardJoe Security
    7FEGBYFBHFBJH32.exeJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      7FEGBYFBHFBJH32.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
        7FEGBYFBHFBJH32.exeJoeSecurity_RagsStealerYara detected Rags StealerJoe Security
          7FEGBYFBHFBJH32.exeJoeSecurity_44CaliberStealerYara detected 44Caliber StealerJoe Security
            Click to see the 5 entries
            SourceRuleDescriptionAuthorStrings
            00000000.00000000.1652511622.0000022480032000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_BlackGuardYara detected BlackGuardJoe Security
              00000000.00000000.1652511622.0000022480032000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                00000000.00000000.1652511622.0000022480032000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_RagsStealerYara detected Rags StealerJoe Security
                  00000000.00000000.1652511622.0000022480032000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_44CaliberStealerYara detected 44Caliber StealerJoe Security
                    00000000.00000000.1652511622.0000022480032000.00000002.00000001.01000000.00000003.sdmpINDICATOR_SUSPICIOUS_EXE_Discord_RegexDetects executables referencing Discord tokens regular expressionsditekSHen
                    • 0x40faf:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}|mfa\.[a-zA-Z0-9_\-]{84}
                    Click to see the 7 entries
                    SourceRuleDescriptionAuthorStrings
                    0.0.7FEGBYFBHFBJH32.exe.22480030000.0.unpackJoeSecurity_BlackGuardYara detected BlackGuardJoe Security
                      0.0.7FEGBYFBHFBJH32.exe.22480030000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                        0.0.7FEGBYFBHFBJH32.exe.22480030000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                          0.0.7FEGBYFBHFBJH32.exe.22480030000.0.unpackJoeSecurity_RagsStealerYara detected Rags StealerJoe Security
                            0.0.7FEGBYFBHFBJH32.exe.22480030000.0.unpackJoeSecurity_44CaliberStealerYara detected 44Caliber StealerJoe Security
                              Click to see the 5 entries
                              No Sigma rule has matched
                              No Suricata rule has matched

                              Click to jump to signature section

                              Show All Signature Results

                              AV Detection

                              barindex
                              Source: 7FEGBYFBHFBJH32.exeAvira: detected
                              Source: 0.0.7FEGBYFBHFBJH32.exe.22480030000.0.unpackMalware Configuration Extractor: 44Caliber Stealer {"Discord Webhook": "https://discord.com/api/webhooks/1324061351169101927/Upg-sOh6FXJYwbAsqIx2PTZdfYr6z3JtFkd-CN6KxlCaM74dpejrx9TbGUYSk03-Cb92\u0001123321"}
                              Source: 7FEGBYFBHFBJH32.exeVirustotal: Detection: 71%Perma Link
                              Source: Yara matchFile source: 7FEGBYFBHFBJH32.exe, type: SAMPLE
                              Source: Yara matchFile source: 0.0.7FEGBYFBHFBJH32.exe.22480030000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000000.00000000.1652511622.0000022480032000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.4% probability
                              Source: 7FEGBYFBHFBJH32.exeJoe Sandbox ML: detected

                              Location Tracking

                              barindex
                              Source: unknownDNS query: name: freegeoip.app