Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
drop1.exe

Overview

General Information

Sample name:drop1.exe
Analysis ID:1584392
MD5:cf2ac2dce038a884fce94f9350327033
SHA1:a2d1c361993e3b1b3289e4905287cb2c9a1714de
SHA256:6d38c8152edc5634fa7cae67424a5b28e1dca4b1037d99704c331c91faca77b7
Tags:exeuser-juroots
Infos:

Detection

CredGrabber, Meduza Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected CredGrabber
Yara detected Meduza Stealer
AI detected suspicious sample
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected non-DNS traffic on DNS port
Detected potential crypto function
Enables debug privileges
Found evasive API chain checking for process token information
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Queries time zone information
Suricata IDS alerts with low severity for network traffic
Terminates after testing mutex exists (may check infected machine status)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • drop1.exe (PID: 4836 cmdline: "C:\Users\user\Desktop\drop1.exe" MD5: CF2AC2DCE038A884FCE94F9350327033)
    • conhost.exe (PID: 3492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • drop1.exe (PID: 3444 cmdline: "C:\Users\user\Desktop\drop1.exe" MD5: CF2AC2DCE038A884FCE94F9350327033)
  • cleanup

Malware Configuration

Threatname: Meduza Stealer

{"C2 url": "66.63.187.173", "grabber_max_size": 4194304, "anti_vm": true, "anti_dbg": true, "self_destruct": false, "extensions": ".txt; .doc; .xlsx", "build_name": "1", "links": "", "port": 15666}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.1979975777.0000000001098000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_MeduzaStealerYara detected Meduza StealerJoe Security
    00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_MeduzaStealerYara detected Meduza StealerJoe Security
      00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmpinfostealer_win_meduzastealerFinds MeduzaStealer samples based on specific stringsSekoia.io
      • 0xff0dc:$str01: emoji
      • 0x1018d8:$str02: %d-%m-%Y, %H:%M:%S
      • 0x101940:$str03: [UTC
      • 0x10194c:$str04: user_name
      • 0x101970:$str05: computer_name
      • 0x101994:$str06: timezone
      • 0x1018c4:$str07: current_path()
      • 0xff0a8:$str08: [json.exception.
      • 0x11502e:$str09: GDI32.dll
      • 0x1152a0:$str10: GdipGetImageEncoders
      • 0x115318:$str10: GdipGetImageEncoders
      • 0x114948:$str11: GetGeoInfoA
      Process Memory Space: drop1.exe PID: 3444JoeSecurity_MeduzaStealerYara detected Meduza StealerJoe Security
        Process Memory Space: drop1.exe PID: 3444JoeSecurity_CredGrabberYara detected CredGrabberJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.drop1.exe.1416e20.1.unpackJoeSecurity_MeduzaStealerYara detected Meduza StealerJoe Security
            0.2.drop1.exe.1416e20.1.unpackinfostealer_win_meduzastealerFinds MeduzaStealer samples based on specific stringsSekoia.io
            • 0xfbcdc:$str01: emoji
            • 0xfe4d8:$str02: %d-%m-%Y, %H:%M:%S
            • 0xfe540:$str03: [UTC
            • 0xfe54c:$str04: user_name
            • 0xfe570:$str05: computer_name
            • 0xfe594:$str06: timezone
            • 0xfe4c4:$str07: current_path()
            • 0xfbca8:$str08: [json.exception.
            • 0x111c2e:$str09: GDI32.dll
            • 0x111ea0:$str10: GdipGetImageEncoders
            • 0x111f18:$str10: GdipGetImageEncoders
            • 0x111548:$str11: GetGeoInfoA
            2.2.drop1.exe.400000.0.unpackJoeSecurity_MeduzaStealerYara detected Meduza StealerJoe Security
              2.2.drop1.exe.400000.0.unpackinfostealer_win_meduzastealerFinds MeduzaStealer samples based on specific stringsSekoia.io
              • 0xfd6dc:$str01: emoji
              • 0xffed8:$str02: %d-%m-%Y, %H:%M:%S
              • 0xfff40:$str03: [UTC
              • 0xfff4c:$str04: user_name
              • 0xfff70:$str05: computer_name
              • 0xfff94:$str06: timezone
              • 0xffec4:$str07: current_path()
              • 0xfd6a8:$str08: [json.exception.
              • 0x11362e:$str09: GDI32.dll
              • 0x1138a0:$str10: GdipGetImageEncoders
              • 0x113918:$str10: GdipGetImageEncoders
              • 0x112f48:$str11: GetGeoInfoA
              2.2.drop1.exe.400000.0.raw.unpackJoeSecurity_MeduzaStealerYara detected Meduza StealerJoe Security
                Click to see the 3 entries

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-05T11:54:10.969583+010020494411A Network Trojan was detected192.168.2.44973366.63.187.17315666TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-05T11:54:10.969583+010020508061A Network Trojan was detected192.168.2.44973366.63.187.17315666TCP
                2025-01-05T11:54:10.974496+010020508061A Network Trojan was detected192.168.2.44973366.63.187.17315666TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-05T11:54:10.969583+010020508071A Network Trojan was detected192.168.2.44973366.63.187.17315666TCP
                2025-01-05T11:54:10.974496+010020508071A Network Trojan was detected192.168.2.44973366.63.187.17315666TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Found malware configuration
                Source: 0.2.drop1.exe.1416e20.1.unpackMalware Configuration Extractor: Meduza Stealer {"C2 url": "66.63.187.173", "grabber_max_size": 4194304, "anti_vm": true, "anti_dbg": true, "self_destruct": false, "extensions": ".txt; .doc; .xlsx", "build_name": "1", "links": "", "port": 15666}
                Multi AV Scanner detection for submitted file
                Source: drop1.exeVirustotal: Detection: 78%Perma Link
                Source: drop1.exeReversingLabs: Detection: 76%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_0047A610 CryptUnprotectData,LocalFree,2_2_0047A610
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_0043D4A0 BCryptDestroyKey,2_2_0043D4A0
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_0047A950 CryptProtectData,LocalFree,2_2_0047A950
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_0047AAE0 BCryptDecrypt,BCryptDecrypt,2_2_0047AAE0
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_00440B60 CryptUnprotectData,LocalFree,2_2_00440B60
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_0047AE10 BCryptCloseAlgorithmProvider,2_2_0047AE10
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_0047AE80 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey,2_2_0047AE80
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_00A3123B CryptContextAddRef,2_2_00A3123B
                Source: drop1.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49734 version: TLS 1.2
                Source: drop1.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, TERMINAL_SERVER_AWARE
                Source: C:\Users\user\Desktop\drop1.exeCode function: 0_2_00A436A9 FindFirstFileExW,0_2_00A436A9
                Source: C:\Users\user\Desktop\drop1.exeCode function: 0_2_00A4375A FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00A4375A
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_004402D0 FindFirstFileW,FindNextFileW,2_2_004402D0
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_004B84C0 FindClose,FindFirstFileExW,GetLastError,2_2_004B84C0
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_004B8545 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,2_2_004B8545
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_004B84E0 FindFirstFileExW,2_2_004B84E0
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_00487550 GetLogicalDriveStringsW,2_2_00487550
                Source: C:\Users\user\Desktop\drop1.exeFile opened: D:\sources\migration\Jump to behavior
                Source: C:\Users\user\Desktop\drop1.exeFile opened: D:\sources\replacementmanifests\Jump to behavior
                Source: C:\Users\user\Desktop\drop1.exeFile opened: D:\sources\migration\wtr\Jump to behavior
                Source: C:\Users\user\Desktop\drop1.exeFile opened: D:\sources\replacementmanifests\microsoft-activedirectory-webservices\