Edit tour
Windows
Analysis Report
UPS tracking details.exe
Overview
General Information
| Sample name: | UPS tracking details.exe |
| Analysis ID: | 1627808 |
| MD5: | 28badf3eb1aa6ce975fee86e6ec1dc14 |
| SHA1: | 8f19c7dbdde308e463b0412d73ea7083b1bcc816 |
| SHA256: | 7f1764a28d27f381701d9254166241607a37a02eb2fe80d682baf15236da5b7e |
| Tags: | exeUPSuser-abuse_ch |
| Infos: |   |
 | |
Detection
PureLog Stealer, XWorm
| Score: | 100 |
| Range: | 0 - 100 |
| Confidence: | 100% |
Signatures
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Yara detected AntiVM3
Yara detected PureLog Stealer
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
C2 URLs / IPs found in malware configuration
Downloads files with wrong headers with respect to MIME Content-Type
Drops VBS files to the startup folder
Joe Sandbox ML detected suspicious sample
Sample uses string decryption to hide its real strings
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Drops PE files
Enables debug privileges
HTTP GET or POST without a user agent
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match
Classification
- System is w10x64
UPS tracking details.exe (PID: 3164 cmdline: "C:\Users\ user\Deskt op\UPS tra cking deta ils.exe" MD5: 28BADF3EB1AA6CE975FEE86E6EC1DC14) - UPS tracking details.exe (PID: 6572 cmdline:
"C:\Users\ user\Deskt op\UPS tra cking deta ils.exe" MD5: 28BADF3EB1AA6CE975FEE86E6EC1DC14) 
WerFault.exe (PID: 1104 cmdline: C:\Windows \SysWOW64\ WerFault.e xe -u -p 6 572 -s 928 MD5: C31336C1EFC2CCB44B4326EA793040F2)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| XWorm | Malware with wide range of capabilities ranging from RAT to ransomware. | No Attribution |
{"C2 url": ["bin12.ydns.eu", "bin14.ydns.eu", "kingsbkup1.ydns.eu", "smfcs1.ydns.eu", "smfcs3.ydns.eu"], "Port": 4050, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_XWorm | Yara detected XWorm | Joe Security | ||
| MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
| |
| JoeSecurity_XWorm | Yara detected XWorm | Joe Security | ||
| MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
| |
| JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
| Click to see the 9 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
| JoeSecurity_XWorm | Yara detected XWorm | Joe Security | ||
| rat_win_xworm_v3 | Finds XWorm (version XClient, v3) samples based on characteristic strings | Sekoia.io |
| |
| Click to see the 9 entries | ||||
Data Obfuscation |   |
|---|
| Source: | Author: Joe Security: | ||
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Malware Configuration Extractor: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
Networking | |
|---|
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | Bad PDF prefix: | ||