Loading ...

Play interactive tourEdit tour

Analysis Report kw1Jo3mNgd

Overview

General Information

Joe Sandbox Version:26.0.0 Aquamarine
Analysis ID:167265
Start date:25.08.2019
Start time:18:46:04
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 4m 15s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:kw1Jo3mNgd (renamed file extension from none to exe)
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:12
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal80.spyw.evad.winEXE@2/4@0/0
EGA Information:Failed
HDC Information:
  • Successful, ratio: 99.5% (good quality ratio 96.7%)
  • Quality average: 84.8%
  • Quality standard deviation: 23.7%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 143
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
Warnings:
Show All
  • Exclude process from analysis (whitelisted): MpCmdRun.exe, sc.exe, WerFault.exe, wermgr.exe, WMIADAP.exe, conhost.exe, CompatTelRunner.exe, svchost.exe
  • Execution Graph export aborted for target kw1Jo3mNgd.exe, PID 4020 because there are no executed function

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold800 - 100falsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Contains functionality to modify the execution of threads in other processes
Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook
Sample is looking for USB drives. Launch the sample with the USB Fake Disk cookbook
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Replication Through Removable Media1Windows Remote ManagementWinlogon Helper DLLProcess Injection11Masquerading11Input Capture121System Time Discovery1Remote File Copy1Input Capture121Exfiltration Over Alternative Protocol1Remote File Copy1
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesSoftware Packing1Network SniffingProcess Discovery2Replication Through Removable Media1Clipboard Data2Exfiltration Over Other Network MediumStandard Application Layer Protocol1
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesPath InterceptionProcess Injection11Input CapturePeripheral Device Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic Protocol
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingDeobfuscate/Decode Files or Information1Credentials in FilesSecurity Software Discovery31Logon ScriptsInput CaptureData EncryptedMultiband Communication
Spearphishing LinkCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessObfuscated Files or Information2Account ManipulationFile and Directory Discovery1Shared WebrootData StagedScheduled TransferStandard Cryptographic Protocol
Spearphishing AttachmentGraphical User InterfaceModify Existing ServiceNew ServiceDLL Side-Loading1Brute ForceSystem Information Discovery22Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used Port

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus or Machine Learning detection for sampleShow sources
Source: kw1Jo3mNgd.exeAvira: Label: TR/Agent.hklh
Source: kw1Jo3mNgd.exeJoe Sandbox ML: detected
Multi AV Scanner detection for submitted fileShow sources
Source: kw1Jo3mNgd.exevirustotal: Detection: 93%Perma Link
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 0.2.kw1Jo3mNgd.exe.10000000.0.unpackAvira: Label: TR/Agent.ssnsz
Source: 0.0.kw1Jo3mNgd.exe.10000000.1.unpackAvira: Label: TR/Agent.hklh
Source: 0.0.kw1Jo3mNgd.exe.10000000.0.unpackAvira: Label: TR/Agent.hklh
Source: 0.0.kw1Jo3mNgd.exe.10000000.2.unpackAvira: Label: TR/Agent.hklh

Spreading:

barindex
May infect USB drivesShow sources
Source: kw1Jo3mNgd.exeBinary or memory string: autorun.inf
Source: kw1Jo3mNgd.exeBinary or memory string: [autorun] ;open=RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\
Source: kw1Jo3mNgd.exeBinary or memory string: [autorun];open=RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\
Source: kw1Jo3mNgd.exe, 00000000.00000000.621381776.0000000010001000.00000020.00020000.sdmpBinary or memory string: [autorun]
Source: kw1Jo3mNgd.exeBinary or memory string: [autorun]
Source: kw1Jo3mNgd.exeBinary or memory string: autorun.inf
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\kw1Jo3mNgd.exeCode function: 0_2_10005CA4 FindFirstFileW,FindClose,0_2_10005CA4

Networking:

barindex
Contains functionality to upload files via FTPShow sources
Source: C:\Users\user\Desktop\kw1Jo3mNgd.exeCode function: 0_2_100068EC InternetOpenW,InternetConnectW,FtpSetCurrentDirectoryW,WaitForSingleObject,FtpPutFileW,InternetCloseHandle,InternetCloseHandle,0_2_100068EC
Contains functionality to download additional files from the internetShow sources
Source: C:\Users\user\Desktop\kw1Jo3mNgd.exeCode function: 0_2_10005F86 URLDownloadToCacheFileW,CopyFileW,0_2_10005F86

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to register a low level keyboard hookShow sources
Source: C:\Users\user\Desktop\kw1Jo3mNgd.exeCode function: 0_2_10008568 SetWindowsHookExW 0000000D,Function_00008040,00000000,000000000_2_10008568
Contains functionality for read data from the clipboardShow sources
Source: C:\Users\user\Desktop\kw1Jo3mNgd.exeCode function: 0_2_100069DC OpenClipboard,GetClipboardData,GlobalFix,GlobalSize,GlobalUnWire,CloseClipboard,0_2_100069DC
Contains functionality to read the clipboard dataShow sources
Source: C:\Users\user\Desktop\kw1Jo3mNgd.exeCode function: 0_2_100069DC OpenClipboard,GetClipboardData,GlobalFix,GlobalSize,GlobalUnWire,CloseClipboard,0_2_100069DC
Contains functionality to retrieve information about pressed keystrokesShow sources
Source: C:\Users\user\Desktop\kw1Jo3mNgd.exeCode function: 0_2_10008040 GetKeyboardState,GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,VirtualAlloc,SendMessageA,CallNextHookEx,0_2_10008040
Creates a DirectInput object (often for capturing keystrokes)Show sources
Source: kw1Jo3mNgd.exe, 00000000.00000002.666753133.000000000064A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: kw1Jo3mNgd.exe, type: SAMPLEMatched rule: Detects XTREME sample analyzed in September 2017
Source: 0.0.kw1Jo3mNgd.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Detects XTREME sample analyzed in September 2017
Source: 0.0.kw1Jo3mNgd.exe.10000000.2.unpack, type: UNPACKEDPEMatched rule: Detects XTREME sample analyzed in September 2017
Source: 0.0.kw1Jo3mNgd.exe.10000000.1.unpack, type: UNPACKEDPEMatched rule: Detects XTREME sample analyzed in September 2017
Source: 0.2.kw1Jo3mNgd.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Detects XTREME sample analyzed in September 2017
Contains functionality to call native functionsShow sources
Source: C:\Users\user\Desktop\kw1Jo3mNgd.exeCode function: 0_2_1000649C NtdllDefWindowProc_A,0_2_1000649C
Source: C:\Users\user\Desktop\kw1Jo3mNgd.exeCode function: 0_2_100064F4 NtdllDefWindowProc_A,0_2_100064F4
Source: C:\Users\user\Desktop\kw1Jo3mNgd.exeCode function: 0_2_1000BD14 CreateProcessW,Sleep,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,SetThreadContext,ResumeThread,0_2_1000BD14
Source: C:\Users\user\Desktop\kw1Jo3mNgd.exeCode function: 0_2_1000BD5E CreateProcessW,Sleep,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,SetThreadContext,ResumeThread,0_2_1000BD5E
Source: C:\Users\user\Desktop\kw1Jo3mNgd.exeCode function: 0_2_1000BD60 CreateProcessW,Sleep,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,SetThreadContext,ResumeThread,0_2_1000BD60
Source: C:\Users\user\Desktop\kw1Jo3mNgd.exeCode function: 0_2_10008568 VirtualFree,WriteFile,UnhookWindowsHookEx,SetFilePointer,GetFileSize,ReadFile,SetFilePointer,SetFileAttributesW,DeleteFileW,CreateFileW,WriteFile,CloseHandle,GetModuleHandleA,SetWindowsHookExW,UnhookWindowsHookEx,UnhookWindowsHookEx,GetModuleHandleA,SetWindowsHookExW,WriteFile,SetFilePointer,SetEndOfFile,NtdllDefWindowProc_A,0_2_10008568
Source: C:\Users\user\Desktop\kw1Jo3mNgd.exeCode function: 0_2_1000AF50 NtdllDefWindowProc_A,0_2_1000AF50
Creates files inside the system directoryShow sources
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\Windows\AppCompat\Programs\Amcache.hve.tmpJump to behavior
Creates mutexesShow sources
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4020
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\Desktop\kw1Jo3mNgd.exeCode function: String function: 100037AC appears 176 times
Source: C:\Users\user\Desktop\kw1Jo3mNgd.exeCode function: String function: 10004EE8 appears 38 times
Source: C:\Users\user\Desktop\kw1Jo3mNgd.exeCode function: String function: 10003B94 appears 94 times
Source: C:\Users\user\Desktop\kw1Jo3mNgd.exeCode function: String function: 10003A34 appears 97 times
Source: C:\Users\user\Desktop\kw1Jo3mNgd.exeCode function: String function: 10006D04 appears 88 times
One or more processes crashShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 524
PE file contains strange resourcesShow sources
Source: kw1Jo3mNgd.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: kw1Jo3mNgd.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\kw1Jo3mNgd.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
Yara signature matchShow sources
Source: kw1Jo3mNgd.exe, type: SAMPLEMatched rule: Xtreme_Sep17_1 date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6, author = Florian Roth, description = Detects XTREME sample analyzed in September 2017, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: kw1Jo3mNgd.exe, type: SAMPLEMatched rule: RAT_Xtreme date = 01.04.2014, filetype = exe, ver = 2.9, 3.1, 3.2, 3.5, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects Xtreme RAT, reference = http://malwareconfig.com/stats/Xtreme
Source: CODE, type: SAMPLEMatched rule: RAT_Xtreme date = 01.04.2014, filetype = exe, ver = 2.9, 3.1, 3.2, 3.5, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects Xtreme RAT, reference = http://malwareconfig.com/stats/Xtreme
Source: 00000000.00000000.621381776.0000000010001000.00000020.00020000.sdmp, type: MEMORYMatched rule: RAT_Xtreme date = 01.04.2014, filetype = exe, ver = 2.9, 3.1, 3.2, 3.5, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects Xtreme RAT, reference = http://malwareconfig.com/stats/Xtreme
Source: 00000000.00000000.626642761.0000000010001000.00000020.00020000.sdmp, type: MEMORYMatched rule: RAT_Xtreme date = 01.04.2014, filetype = exe, ver = 2.9, 3.1, 3.2, 3.5, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects Xtreme RAT, reference = http://malwareconfig.com/stats/Xtreme
Source: 00000000.00000002.666839306.0000000010001000.00000020.00020000.sdmp, type: MEMORYMatched rule: RAT_Xtreme date = 01.04.2014, filetype = exe, ver = 2.9, 3.1, 3.2, 3.5, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects Xtreme RAT, reference = http://malwareconfig.com/stats/Xtreme
Source: 00000000.00000000.628828218.0000000010001000.00000020.00020000.sdmp, type: MEMORYMatched rule: RAT_Xtreme date = 01.04.2014, filetype = exe, ver = 2.9, 3.1, 3.2, 3.5, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects Xtreme RAT, reference = http://malwareconfig.com/stats/Xtreme
Source: 0.0.kw1Jo3mNgd.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Xtreme_Sep17_1 date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6, author = Florian Roth, description = Detects XTREME sample analyzed in September 2017, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.kw1Jo3mNgd.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: RAT_Xtreme date = 01.04.2014, filetype = exe, ver = 2.9, 3.1, 3.2, 3.5, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects Xtreme RAT, reference = http://malwareconfig.com/stats/Xtreme
Source: 0.0.kw1Jo3mNgd.exe.10000000.2.unpack, type: UNPACKEDPEMatched rule: Xtreme_Sep17_1 date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6, author = Florian Roth, description = Detects XTREME sample analyzed in September 2017, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.kw1Jo3mNgd.exe.10000000.2.unpack, type: UNPACKEDPEMatched rule: RAT_Xtreme date = 01.04.2014, filetype = exe, ver = 2.9, 3.1, 3.2, 3.5, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects Xtreme RAT, reference = http://malwareconfig.com/stats/Xtreme
Source: 0.0.kw1Jo3mNgd.exe.10000000.1.unpack, type: UNPACKEDPEMatched rule: Xtreme_Sep17_1 date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6, author = Florian Roth, description = Detects XTREME sample analyzed in September 2017, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.kw1Jo3mNgd.exe.10000000.1.unpack, type: UNPACKEDPEMatched rule: RAT_Xtreme date = 01.04.2014, filetype = exe, ver = 2.9, 3.1, 3.2, 3.5, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects Xtreme RAT, reference = http://malwareconfig.com/stats/Xtreme
Source: 0.2.kw1Jo3mNgd.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Xtreme_Sep17_1 date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6, author = Florian Roth, description = Detects XTREME sample analyzed in September 2017, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.kw1Jo3mNgd.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: RAT_Xtreme date = 01.04.2014, filetype = exe, ver = 2.9, 3.1, 3.2, 3.5, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects Xtreme RAT, reference = http://malwareconfig.com/stats/Xtreme
Classification labelShow sources
Source: classification engineClassification label: mal80.spyw.evad.winEXE@2/4@0/0
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\Desktop\kw1Jo3mNgd.exeCode function: 0_2_100051E8 FindResourceW,SizeofResource,LoadResource,LockResource,FreeResource,0_2_100051E8
Creates temporary filesShow sources
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER6FC.tmpJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\kw1Jo3mNgd.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: kw1Jo3mNgd.exevirustotal: Detection: 93%
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\kw1Jo3mNgd.exe 'C:\Users\user\Desktop\kw1Jo3mNgd.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 524

Data Obfuscation:

barindex
PE file contains an invalid checksumShow sources
Source: kw1Jo3mNgd.exeStatic PE information: real checksum: 0x17092 should be: 0x2113d
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\kw1Jo3mNgd.exeCode function: 0_2_1000C038 push 1000C064h; ret 0_2_1000C05C
Source: C:\Users\user\Desktop\kw1Jo3mNgd.exeCode function: 0_2_1000619C push 100061D4h; ret 0_2_100061CC
Source: C:\Users\user\Desktop\kw1Jo3mNgd.exeCode function: 0_2_100051A0 push 100051CCh; ret 0_2_100051C4
Source: C:\Users\user\Desktop\kw1Jo3mNgd.exeCode function: 0_2_100099C0 push 100099ECh; ret 0_2_100099E4
Source: C:\Users\user\Desktop\kw1Jo3mNgd.exeCode function: 0_2_1000A240 push 1000A26Ch; ret 0_2_1000A264
Source: C:\Users\user\Desktop\kw1Jo3mNgd.exeCode function: 0_2_100052B0 push 100052FCh; ret 0_2_100052F4
Source: C:\Users\user\Desktop\kw1Jo3mNgd.exeCode function: 0_2_10004AF8 push 10004B49h; ret 0_2_10004B41
Source: C:\Users\user\Desktop\kw1Jo3mNgd.exeCode function: 0_2_1000AB30 push 1000AB68h; ret 0_2_1000AB60
Source: C:\Users\user\Desktop\kw1Jo3mNgd.exeCode function: 0_2_1000AB74 push 1000ABA0h; ret 0_2_1000AB98
Source: C:\Users\user\Desktop\kw1Jo3mNgd.exeCode function: 0_2_10006464 push 10006490h; ret 0_2_10006488
Source: C:\Users\user\Desktop\kw1Jo3mNgd.exeCode function: 0_2_1000A4A0 push 1000A4D3h; ret 0_2_1000A4CB
Source: C:\Users\user\Desktop\kw1Jo3mNgd.exeCode function: 0_2_1000BCDC push 1000BD08h; ret 0_2_1000BD00
Source: C:\Users\user\Desktop\kw1Jo3mNgd.exeCode function: 0_2_1000BD14 push 1000BD08h; ret 0_2_1000BD00
Source: C:\Users\user\Desktop\kw1Jo3mNgd.exeCode function: 0_2_10004D28 push 10004D54h; ret 0_2_10004D4C
Source: C:\Users\user\Desktop\kw1Jo3mNgd.exeCode function: 0_2_10004D60 push 10004D8Ch; ret 0_2_10004D84
Source: C:\Users\user\Desktop\kw1Jo3mNgd.exeCode function: 0_2_10006630 push 1000665Ch; ret 0_2_10006654
Source: C:\Users\user\Desktop\kw1Jo3mNgd.exeCode function: 0_2_1000966C push 100096F4h; ret 0_2_100096EC
Source: C:\Users\user\Desktop\kw1Jo3mNgd.exeCode function: 0_2_1000B6C0 push 1000B6ECh; ret 0_2_1000B6E4
Source: C:\Users\user\Desktop\kw1Jo3mNgd.exeCode function: 0_2_100096F6 push 10009781h; ret 0_2_10009779
Source: C:\Users\user\Desktop\kw1Jo3mNgd.exeCode function: 0_2_100096F8 push 10009781h; ret 0_2_10009779
Source: C:\Users\user\Desktop\kw1Jo3mNgd.exeCode function: 0_2_1000AF90 push 1000AFBCh; ret 0_2_1000AFB4
Source: C:\Users\user\Desktop\kw1Jo3mNgd.exeCode function: 0_2_1000AFC8 push 1000AFBCh; ret 0_2_1000AFB4
Source: C:\Users\user\Desktop\kw1Jo3mNgd.exeCode function: 0_2_1000CFE0 push 1000D02Eh; ret 0_2_1000D026

Hooking and other Techniques for Hiding and Protection:

barindex
Icon mismatch, binary includes an icon from a different legit application in order to fool usersShow sources
Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: icon (2636).png
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Queries disk information (often used to detect virtual machines)Show sources
Source: C:\Windows\SysWOW64\WerFault.exeFile opened: PhysicalDrive0Jump to behavior
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\kw1Jo3mNgd.exeCode function: 0_2_10005CA4 FindFirstFileW,FindClose,0_2_10005CA4
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: kw1Jo3mNgd.exeBinary or memory string: jiejwogfdjieovevodnvfnievngsegtsrgrefsfsfsgrsgrttrhgtehgfsgrfgtrwegtrejytjyegrsfvfbgfsdfhgtrfsgfrsgfgregtregtrfrgjbfdkbnfsdjbvofsjfrfreSVWU
Source: kw1Jo3mNgd.exeBinary or memory string: trhgtehgfsgrfgtrwegtre
Queries a list of all running processesShow sources
Source: C:\Windows\SysWOW64\WerFault.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Checks for debuggers (devices)Show sources
Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\Windows\WinSxS\FileMaps\users_user_desktop_3f3714ea22baf985.cdf-ms
Checks if the current process is being debuggedShow sources
Source: C:\Users\user\Desktop\kw1Jo3mNgd.exeProcess queried: DebugPortJump to behavior
Enables debug privilegesShow sources
Source: C:\Windows\SysWOW64\WerFault.exeProcess token adjusted: DebugJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Contains functionality to inject code into remote processesShow sources
Source: C:\Users\user\Desktop\kw1Jo3mNgd.exeCode function: 0_2_1000BD14 CreateProcessW,Sleep,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,SetThreadContext,ResumeThread,0_2_1000BD14
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: kw1Jo3mNgd.exe, 00000000.00000000.626460107.0000000000CD0000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: kw1Jo3mNgd.exe, 00000000.00000000.626460107.0000000000CD0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: kw1Jo3mNgd.exe, 00000000.00000000.626460107.0000000000CD0000.00000002.00000001.sdmpBinary or memory string: Progman
Source: kw1Jo3mNgd.exe, 00000000.00000000.626460107.0000000000CD0000.00000002.00000001.sdmpBinary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to inject threads in other processesShow sources
Source: C:\Users\user\Desktop\kw1Jo3mNgd.exeCode function: 0_2_100098A8 GetModuleHandleA,VirtualFreeEx,VirtualAllocEx,GetModuleHandleA,WriteProcessMemory,CreateRemoteThread,CloseHandle,0_2_100098A8
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\user\Desktop\kw1Jo3mNgd.exeCode function: GetLocaleInfoA,0_2_10004A84
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\kw1Jo3mNgd.exeCode function: 0_2_10006B14 GetLocalTime,0_2_10006B14
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\kw1Jo3mNgd.exeCode function: 0_2_10004B4D GetCommandLineA,GetVersion,GetVersion,GetThreadLocale,GetThreadLocale,GetCurrentThreadId,0_2_10004B4D

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 167265 Sample: kw1Jo3mNgd Startdate: 25/08/2019 Architecture: WINDOWS Score: 80 14 Malicious sample detected (through community Yara rule) 2->14 16 Antivirus or Machine Learning detection for sample 2->16 18 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->18 20 Multi AV Scanner detection for submitted file 2->20 6 kw1Jo3mNgd.exe 2->6         started        process3 signatures4 22 Contains functionality to inject threads in other processes 6->22 24 Contains functionality to inject code into remote processes 6->24 26 Contains functionality to register a low level keyboard hook 6->26 9 WerFault.exe 24 10 6->9         started        process5 file6 12 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 9->12 dropped

Simulations

Behavior and APIs

TimeTypeDescription
18:48:09API Interceptor2x Sleep call for process: kw1Jo3mNgd.exe modified

Antivirus and Machine Learning Detection

Initial Sample

SourceDetectionScannerLabelLink
kw1Jo3mNgd.exe94%virustotalBrowse
kw1Jo3mNgd.exe100%AviraTR/Agent.hklh
kw1Jo3mNgd.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
0.2.kw1Jo3mNgd.exe.10000000.0.unpack100%AviraTR/Agent.ssnszDownload File
0.0.kw1Jo3mNgd.exe.10000000.1.unpack100%AviraTR/Agent.hklhDownload File
0.0.kw1Jo3mNgd.exe.10000000.0.unpack100%AviraTR/Agent.hklhDownload File
0.0.kw1Jo3mNgd.exe.10000000.2.unpack100%AviraTR/Agent.hklhDownload File

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
kw1Jo3mNgd.exeXtreme_Sep17_1Detects XTREME sample analyzed in September 2017Florian Roth
  • 0x5dcd:$x1: ServerKeyloggerU
  • 0x13371:$x2: TServerKeylogger
  • 0x89f0:$x3: X\x00t\x00r\x00e\x00m\x00e\x00K\x00e\x00y\x00l\x00o\x00g\x00g\x00e\x00r\x00
  • 0xab70:$x4: X\x00T\x00R\x00E\x00M\x00E\x00B\x00I\x00N\x00D\x00E\x00R\x00
  • 0xa850:$s1: s\x00h\x00e\x00l\x00l\x00e\x00x\x00e\x00c\x00u\x00t\x00e\x00=\x00
  • 0x6d4c:$s2: [\x00E\x00x\x00e\x00c\x00u\x00t\x00e\x00]\x00
  • 0xa796:$s3: ;\x00o\x00p\x00e\x00n\x00=\x00R\x00E\x00C\x00Y\x00C\x00L\x00E\x00R\x00\\x00S\x00-\x001\x00-\x005\x00-\x002\x001\x00-\x001\x004\x008\x002\x004\x007\x006\x005\x000\x001\x00-\x003\x003\x005\x002\x004\x009\x001\x009\x003\x007\x00-\x006\x008\x002\x009\x009\x006\x003\x003\x000\x00-\x001\x000\x001\x003\x00\\x00
kw1Jo3mNgd.exeRAT_XtremeDetects Xtreme RATKevin Breen <kevin@techanarchy.net>
  • 0x45d8:$a: X\x00T\x00R\x00E\x00M\x00E\x00
  • 0x9db8:$a: X\x00T\x00R\x00E\x00M\x00E\x00
  • 0xab70:$a: X\x00T\x00R\x00E\x00M\x00E\x00
  • 0xf2f0:$a: X\x00T\x00R\x00E\x00M\x00E\x00
  • 0xbd74:$b: S\x00e\x00r\x00v\x00e\x00r\x00S\x00t\x00a\x00r\x00t\x00e\x00d\x00
  • 0x89f0:$c: X\x00t\x00r\x00e\x00m\x00e\x00K\x00e\x00y\x00l\x00o\x00g\x00g\x00e\x00r\x00
  • 0x470c:$d: x\x00.\x00h\x00t\x00m\x00l\x00
  • 0x854a:$e: X\x00t\x00r\x00e\x00m\x00e\x00 \x00R\x00A\x00T\x00
CODERAT_XtremeDetects Xtreme RATKevin Breen <kevin@techanarchy.net>
  • 0x41d8:$a: X\x00T\x00R\x00E\x00M\x00E\x00
  • 0x99b8:$a: X\x00T\x00R\x00E\x00M\x00E\x00
  • 0xa770:$a: X\x00T\x00R\x00E\x00M\x00E\x00
  • 0xb974:$b: S\x00e\x00r\x00v\x00e\x00r\x00S\x00t\x00a\x00r\x00t\x00e\x00d\x00
  • 0x85f0:$c: X\x00t\x00r\x00e\x00m\x00e\x00K\x00e\x00y\x00l\x00o\x00g\x00g\x00e\x00r\x00
  • 0x430c:$d: x\x00.\x00h\x00t\x00m\x00l\x00
  • 0x814a:$e: X\x00t\x00r\x00e\x00m\x00e\x00 \x00R\x00A\x00T\x00

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000000.621381776.0000000010001000.00000020.00020000.sdmpRAT_XtremeDetects Xtreme RATKevin Breen <kevin@techanarchy.net>
  • 0x41d8:$a: X\x00T\x00R\x00E\x00M\x00E\x00
  • 0x99b8:$a: X\x00T\x00R\x00E\x00M\x00E\x00
  • 0xa770:$a: X\x00T\x00R\x00E\x00M\x00E\x00
  • 0xb974:$b: S\x00e\x00r\x00v\x00e\x00r\x00S\x00t\x00a\x00r\x00t\x00e\x00d\x00
  • 0x85f0:$c: X\x00t\x00r\x00e\x00m\x00e\x00K\x00e\x00y\x00l\x00o\x00g\x00g\x00e\x00r\x00
  • 0x430c:$d: x\x00.\x00h\x00t\x00m\x00l\x00
  • 0x814a:$e: X\x00t\x00r\x00e\x00m\x00e\x00 \x00R\x00A\x00T\x00
00000000.00000000.626642761.0000000010001000.00000020.00020000.sdmpRAT_XtremeDetects Xtreme RATKevin Breen <kevin@techanarchy.net>
  • 0x41d8:$a: X\x00T\x00R\x00E\x00M\x00E\x00
  • 0x99b8:$a: X\x00T\x00R\x00E\x00M\x00E\x00
  • 0xa770:$a: X\x00T\x00R\x00E\x00M\x00E\x00
  • 0xb974:$b: S\x00e\x00r\x00v\x00e\x00r\x00S\x00t\x00a\x00r\x00t\x00e\x00d\x00
  • 0x85f0:$c: X\x00t\x00r\x00e\x00m\x00e\x00K\x00e\x00y\x00l\x00o\x00g\x00g\x00e\x00r\x00
  • 0x430c:$d: x\x00.\x00h\x00t\x00m\x00l\x00
  • 0x814a:$e: X\x00t\x00r\x00e\x00m\x00e\x00 \x00R\x00A\x00T\x00
00000000.00000002.666839306.0000000010001000.00000020.00020000.sdmpRAT_XtremeDetects Xtreme RATKevin Breen <kevin@techanarchy.net>
  • 0x41d8:$a: X\x00T\x00R\x00E\x00M\x00E\x00
  • 0x99b8:$a: X\x00T\x00R\x00E\x00M\x00E\x00
  • 0xa770:$a: X\x00T\x00R\x00E\x00M\x00E\x00
  • 0xb974:$b: S\x00e\x00r\x00v\x00e\x00r\x00S\x00t\x00a\x00r\x00t\x00e\x00d\x00
  • 0x85f0:$c: X\x00t\x00r\x00e\x00m\x00e\x00K\x00e\x00y\x00l\x00o\x00g\x00g\x00e\x00r\x00
  • 0x430c:$d: x\x00.\x00h\x00t\x00m\x00l\x00
  • 0x814a:$e: X\x00t\x00r\x00e\x00m\x00e\x00 \x00R\x00A\x00T\x00
00000000.00000000.628828218.0000000010001000.00000020.00020000.sdmpRAT_XtremeDetects Xtreme RATKevin Breen <kevin@techanarchy.net>
  • 0x41d8:$a: X\x00T\x00R\x00E\x00M\x00E\x00
  • 0x99b8:$a: X\x00T\x00R\x00E\x00M\x00E\x00
  • 0xa770:$a: X\x00T\x00R\x00E\x00M\x00E\x00
  • 0xb974:$b: S\x00e\x00r\x00v\x00e\x00r\x00S\x00t\x00a\x00r\x00t\x00e\x00d\x00
  • 0x85f0:$c: X\x00t\x00r\x00e\x00m\x00e\x00K\x00e\x00y\x00l\x00o\x00g\x00g\x00e\x00r\x00
  • 0x430c:$d: x\x00.\x00h\x00t\x00m\x00l\x00
  • 0x814a:$e: X\x00t\x00r\x00e\x00m\x00e\x00 \x00R\x00A\x00T\x00

Unpacked PEs

SourceRuleDescriptionAuthorStrings
0.0.kw1Jo3mNgd.exe.10000000.0.unpackXtreme_Sep17_1Detects XTREME sample analyzed in September 2017Florian Roth
  • 0x5dcd:$x1: ServerKeyloggerU
  • 0x13371:$x2: TServerKeylogger
  • 0x89f0:$x3: X\x00t\x00r\x00e\x00m\x00e\x00K\x00e\x00y\x00l\x00o\x00g\x00g\x00e\x00r\x00
  • 0xab70:$x4: X\x00T\x00R\x00E\x00M\x00E\x00B\x00I\x00N\x00D\x00E\x00R\x00
  • 0xa850:$s1: s\x00h\x00e\x00l\x00l\x00e\x00x\x00e\x00c\x00u\x00t\x00e\x00=\x00
  • 0x6d4c:$s2: [\x00E\x00x\x00e\x00c\x00u\x00t\x00e\x00]\x00
  • 0xa796:$s3: ;\x00o\x00p\x00e\x00n\x00=\x00R\x00E\x00C\x00Y\x00C\x00L\x00E\x00R\x00\\x00S\x00-\x001\x00-\x005\x00-\x002\x001\x00-\x001\x004\x008\x002\x004\x007\x006\x005\x000\x001\x00-\x003\x003\x005\x002\x004\x009\x001\x009\x003\x007\x00-\x006\x008\x002\x009\x009\x006\x003\x003\x000\x00-\x001\x000\x001\x003\x00\\x00
0.0.kw1Jo3mNgd.exe.10000000.0.unpackRAT_XtremeDetects Xtreme RATKevin Breen <kevin@techanarchy.net>
  • 0x45d8:$a: X\x00T\x00R\x00E\x00M\x00E\x00
  • 0x9db8:$a: X\x00T\x00R\x00E\x00M\x00E\x00
  • 0xab70:$a: X\x00T\x00R\x00E\x00M\x00E\x00
  • 0xf2f0:$a: X\x00T\x00R\x00E\x00M\x00E\x00
  • 0xbd74:$b: S\x00e\x00r\x00v\x00e\x00r\x00S\x00t\x00a\x00r\x00t\x00e\x00d\x00
  • 0x89f0:$c: X\x00t\x00r\x00e\x00m\x00e\x00K\x00e\x00y\x00l\x00o\x00g\x00g\x00e\x00r\x00
  • 0x470c:$d: x\x00.\x00h\x00t\x00m\x00l\x00
  • 0x854a:$e: X\x00t\x00r\x00e\x00m\x00e\x00 \x00R\x00A\x00T\x00
0.0.kw1Jo3mNgd.exe.10000000.2.unpackXtreme_Sep17_1Detects XTREME sample analyzed in September 2017Florian Roth
  • 0x5dcd:$x1: ServerKeyloggerU
  • 0x13371:$x2: TServerKeylogger
  • 0x89f0:$x3: X\x00t\x00r\x00e\x00m\x00e\x00K\x00e\x00y\x00l\x00o\x00g\x00g\x00e\x00r\x00
  • 0xab70:$x4: X\x00T\x00R\x00E\x00M\x00E\x00B\x00I\x00N\x00D\x00E\x00R\x00
  • 0xa850:$s1: s\x00h\x00e\x00l\x00l\x00e\x00x\x00e\x00c\x00u\x00t\x00e\x00=\x00
  • 0x6d4c:$s2: [\x00E\x00x\x00e\x00c\x00u\x00t\x00e\x00]\x00
  • 0xa796:$s3: ;\x00o\x00p\x00e\x00n\x00=\x00R\x00E\x00C\x00Y\x00C\x00L\x00E\x00R\x00\\x00S\x00-\x001\x00-\x005\x00-\x002\x001\x00-\x001\x004\x008\x002\x004\x007\x006\x005\x000\x001\x00-\x003\x003\x005\x002\x004\x009\x001\x009\x003\x007\x00-\x006\x008\x002\x009\x009\x006\x003\x003\x000\x00-\x001\x000\x001\x003\x00\\x00
0.0.kw1Jo3mNgd.exe.10000000.2.unpackRAT_XtremeDetects Xtreme RATKevin Breen <kevin@techanarchy.net>
  • 0x45d8:$a: X\x00T\x00R\x00E\x00M\x00E\x00
  • 0x9db8:$a: X\x00T\x00R\x00E\x00M\x00E\x00
  • 0xab70:$a: X\x00T\x00R\x00E\x00M\x00E\x00
  • 0xf2f0:$a: X\x00T\x00R\x00E\x00M\x00E\x00
  • 0xbd74:$b: S\x00e\x00r\x00v\x00e\x00r\x00S\x00t\x00a\x00r\x00t\x00e\x00d\x00
  • 0x89f0:$c: X\x00t\x00r\x00e\x00m\x00e\x00K\x00e\x00y\x00l\x00o\x00g\x00g\x00e\x00r\x00
  • 0x470c:$d: x\x00.\x00h\x00t\x00m\x00l\x00
  • 0x854a:$e: X\x00t\x00r\x00e\x00m\x00e\x00 \x00R\x00A\x00T\x00
0.0.kw1Jo3mNgd.exe.10000000.1.unpackXtreme_Sep17_1Detects XTREME sample analyzed in September 2017Florian Roth
  • 0x5dcd:$x1: ServerKeyloggerU
  • 0x13371:$x2: TServerKeylogger
  • 0x89f0:$x3: X\x00t\x00r\x00e\x00m\x00e\x00K\x00e\x00y\x00l\x00o\x00g\x00g\x00e\x00r\x00
  • 0xab70:$x4: X\x00T\x00R\x00E\x00M\x00E\x00B\x00I\x00N\x00D\x00E\x00R\x00
  • 0xa850:$s1: s\x00h\x00e\x00l\x00l\x00e\x00x\x00e\x00c\x00u\x00t\x00e\x00=\x00
  • 0x6d4c:$s2: [\x00E\x00x\x00e\x00c\x00u\x00t\x00e\x00]\x00
  • 0xa796:$s3: ;\x00o\x00p\x00e\x00n\x00=\x00R\x00E\x00C\x00Y\x00C\x00L\x00E\x00R\x00\\x00S\x00-\x001\x00-\x005\x00-\x002\x001\x00-\x001\x004\x008\x002\x004\x007\x006\x005\x000\x001\x00-\x003\x003\x005\x002\x004\x009\x001\x009\x003\x007\x00-\x006\x008\x002\x009\x009\x006\x003\x003\x000\x00-\x001\x000\x001\x003\x00\\x00
0.0.kw1Jo3mNgd.exe.10000000.1.unpackRAT_XtremeDetects Xtreme RATKevin Breen <kevin@techanarchy.net>
  • 0x45d8:$a: X\x00T\x00R\x00E\x00M\x00E\x00
  • 0x9db8:$a: X\x00T\x00R\x00E\x00M\x00E\x00
  • 0xab70:$a: X\x00T\x00R\x00E\x00M\x00E\x00
  • 0xf2f0:$a: X\x00T\x00R\x00E\x00M\x00E\x00
  • 0xbd74:$b: S\x00e\x00r\x00v\x00e\x00r\x00S\x00t\x00a\x00r\x00t\x00e\x00d\x00
  • 0x89f0:$c: X\x00t\x00r\x00e\x00m\x00e\x00K\x00e\x00y\x00l\x00o\x00g\x00g\x00e\x00r\x00
  • 0x470c:$d: x\x00.\x00h\x00t\x00m\x00l\x00
  • 0x854a:$e: X\x00t\x00r\x00e\x00m\x00e\x00 \x00R\x00A\x00T\x00
0.2.kw1Jo3mNgd.exe.10000000.0.unpackXtreme_Sep17_1Detects XTREME sample analyzed in September 2017Florian Roth
  • 0x5dcd:$x1: ServerKeyloggerU
  • 0x13371:$x2: TServerKeylogger
  • 0x89f0:$x3: X\x00t\x00r\x00e\x00m\x00e\x00K\x00e\x00y\x00l\x00o\x00g\x00g\x00e\x00r\x00
  • 0xab70:$x4: X\x00T\x00R\x00E\x00M\x00E\x00B\x00I\x00N\x00D\x00E\x00R\x00
  • 0xa850:$s1: s\x00h\x00e\x00l\x00l\x00e\x00x\x00e\x00c\x00u\x00t\x00e\x00=\x00
  • 0x6d4c:$s2: [\x00E\x00x\x00e\x00c\x00u\x00t\x00e\x00]\x00
  • 0xa796:$s3: ;\x00o\x00p\x00e\x00n\x00=\x00R\x00E\x00C\x00Y\x00C\x00L\x00E\x00R\x00\\x00S\x00-\x001\x00-\x005\x00-\x002\x001\x00-\x001\x004\x008\x002\x004\x007\x006\x005\x000\x001\x00-\x003\x003\x005\x002\x004\x009\x001\x009\x003\x007\x00-\x006\x008\x002\x009\x009\x006\x003\x003\x000\x00-\x001\x000\x001\x003\x00\\x00
0.2.kw1Jo3mNgd.exe.10000000.0.unpackRAT_XtremeDetects Xtreme RATKevin Breen <kevin@techanarchy.net>
  • 0x45d8:$a: X\x00T\x00R\x00E\x00M\x00E\x00
  • 0x9db8:$a: X\x00T\x00R\x00E\x00M\x00E\x00
  • 0xab70:$a: X\x00T\x00R\x00E\x00M\x00E\x00
  • 0xf2f0:$a: X\x00T\x00R\x00E\x00M\x00E\x00
  • 0xbd74:$b: S\x00e\x00r\x00v\x00e\x00r\x00S\x00t\x00a\x00r\x00t\x00e\x00d\x00
  • 0x89f0:$c: X\x00t\x00r\x00e\x00m\x00e\x00K\x00e\x00y\x00l\x00o\x00g\x00g\x00e\x00r\x00
  • 0x470c:$d: x\x00.\x00h\x00t\x00m\x00l\x00
  • 0x854a:$e: X\x00t\x00r\x00e\x00m\x00e\x00 \x00R\x00A\x00T\x00

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.