Loading ...

Play interactive tourEdit tour

Analysis Report MossX64.exe

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:215703
Start date:16.03.2020
Start time:18:26:30
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 7m 16s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:MossX64.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:7
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal56.evad.winEXE@1/3@1/1
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 14% (good quality ratio 1.6%)
  • Quality average: 5%
  • Quality standard deviation: 14.6%
HCA Information:Failed
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, conhost.exe
  • Excluded IPs from analysis (whitelisted): 40.127.240.158, 51.143.111.7, 52.142.119.134, 13.78.168.230, 20.185.109.208, 20.45.4.77, 13.83.149.5, 205.185.216.10, 205.185.216.42, 8.248.141.254, 8.241.121.126, 8.238.37.126, 8.241.83.126, 8.238.36.126, 8.241.121.254, 8.253.207.120, 8.241.79.254, 40.90.22.184, 40.90.22.190, 40.90.22.186, 51.105.249.223
  • Excluded domains from analysis (whitelisted): fe2.update.microsoft.com.nsatc.net, umwatson.trafficmanager.net, client.wns.windows.com, am3p.wns.notify.windows.com.akadns.net, sls.update.microsoft.com.akadns.net, settings-win.data.microsoft.com, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, ipv4.login.msa.akadns6.net, wns.notify.windows.com.akadns.net, login.msa.msidentity.com, settingsfd-geo.trafficmanager.net, sls.emea.update.microsoft.com.akadns.net, fe2.update.microsoft.com, login.live.com, emea1.notify.windows.com.akadns.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, sls.update.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, login.msa.akadns6.net
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Timeout during Intezer genetic analysis for /opt/package/joesandbox/database/analysis/215703/sample/MossX64.exe
  • Timeout during Intezer genetic analysis for unpackpe/0.0.MossX64.exe.7ff732de0000.0.unpack

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold560 - 100falsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsExecution through API1Winlogon Helper DLLAccess Token Manipulation1Masquerading1Input Capture21System Time Discovery1Remote File Copy2Screen Capture1Data Encrypted1Standard Cryptographic Protocol2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaService ExecutionPort MonitorsProcess Injection11Access Token Manipulation1Network SniffingProcess Discovery1Remote ServicesInput Capture21Exfiltration Over Other Network MediumRemote File Copy2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionProcess Injection11Input CaptureApplication Window Discovery1Windows Remote ManagementClipboard Data1Automated ExfiltrationStandard Non-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingDeobfuscate/Decode Files or Information1Credentials in FilesAccount Discovery1Logon ScriptsInput CaptureData EncryptedStandard Application Layer Protocol12SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessObfuscated Files or Information1Account ManipulationSystem Owner/User Discovery1Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceDLL Search Order HijackingBrute ForceSecurity Software Discovery131Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskSoftware PackingTwo-Factor Authentication InterceptionRemote System Discovery1Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionIndicator BlockingBash HistorySystem Network Connections Discovery1Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Supply Chain CompromiseRundll32DLL Search Order HijackingService Registry Permissions WeaknessProcess InjectionInput PromptSystem Network Configuration Discovery1Windows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer EncryptionRogue Cellular Base StationData Destruction
Trusted RelationshipPowerShellChange Default File AssociationExploitation for Privilege EscalationScriptingKeychainSystem Information Discovery14Taint Shared ContentAudio CaptureCommonly Used PortConnection ProxyData Encrypted for Impact

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: MossX64.exeVirustotal: Detection: 36%Perma Link
Source: MossX64.exeReversingLabs: Detection: 32%

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732DFA5B0 CryptAcquireContextW,GetLastError,CryptAcquireContextW,0_2_00007FF732DFA5B0

Networking:

barindex
Contains functionality to determine the online IP of the systemShow sources
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732DE57C0 InternetGetConnectedState,InternetReadFile,strchr,strchr,strchr,InternetCloseHandle, myip.php0_2_00007FF732DE57C0
Uses a known web browser user agent for HTTP communicationShow sources
Source: global trafficHTTP traffic detected: GET /down/Mossupd2.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36Host: nohope.eu
Source: global trafficHTTP traffic detected: GET /ga.php?utmac=MO-37074682-1&utmn=1854806732&utmr=-&utmp=%2FI_GameNoSet.php&guid=ON HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36Host: nohope.euCookie: SERVERID105614=142092|Xm+2/|Xm+2/
Source: global trafficHTTP traffic detected: GET /myip.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36Host: nohope.euCookie: SERVERID105614=142092|Xm+2/|Xm+2/; __utmmobile=0xf92d65f1ea928f34
Contains functionality to download additional files from the internetShow sources
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732DE3C20 InternetGetConnectedState,InternetReadFile,InternetCloseHandle,GetModuleHandleW,GetModuleFileNameW,strstr,GetTempPathW,InternetCloseHandle,GetActiveWindow,MessageBoxW,URLDownloadToFileW,0_2_00007FF732DE3C20
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /down/Mossupd2.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36Host: nohope.eu
Source: global trafficHTTP traffic detected: GET /ga.php?utmac=MO-37074682-1&utmn=1854806732&utmr=-&utmp=%2FI_GameNoSet.php&guid=ON HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36Host: nohope.euCookie: SERVERID105614=142092|Xm+2/|Xm+2/
Source: global trafficHTTP traffic detected: GET /myip.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36Host: nohope.euCookie: SERVERID105614=142092|Xm+2/|Xm+2/; __utmmobile=0xf92d65f1ea928f34
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: nohope.eu
Urls found in memory or binary dataShow sources
Source: MossX64.exeString found in binary or memory: http://nohope.eu
Source: MossX64.exeString found in binary or memory: http://nohope.eu/
Source: MossX64.exeString found in binary or memory: http://nohope.eu/%s
Source: MossX64.exeString found in binary or memory: http://nohope.eu/down/
Source: MossX64.exe, 00000000.00000002.2339509231.000001AB34973000.00000004.00000020.sdmpString found in binary or memory: http://nohope.eu/down/Mossupd2.txt
Source: MossX64.exeString found in binary or memory: http://nohope.eu/down/http://nohope.eu/select
Source: MossX64.exe, 00000000.00000002.2339509231.000001AB34973000.00000004.00000020.sdmpString found in binary or memory: http://nohope.eu/ga.php?utmac=MO-37074682-1&utmn=1854806732&utmr=-&utmp=%2FI_GameNoSet.php&guid=ON
Source: MossX64.exe, 00000000.00000002.2338925452.0000009794FCA000.00000004.00000001.sdmpString found in binary or memory: http://nohope.eu/ga.php?utmac=MO-37074682-1&utmn=1854806732&utmr=-&utmp=%2FI_GameNoSet.php&guid=ONp
Source: MossX64.exe, 00000000.00000002.2339625780.000001AB349C0000.00000004.00000020.sdmpString found in binary or memory: http://nohope.eu/myip.php
Source: MossX64.exeString found in binary or memory: http://nohope.euopenhttps://twitter.com/intent/follow?original_referer=Moss&ref_src=twsrc%5Etfw&scre
Source: MossX64.exeString found in binary or memory: https://twitter.com/intent/follow?original_referer=Moss&ref_src=twsrc%5Etfw&screen_name=Nohope92&tw_

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboardShow sources
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732E531A4 SrcHashImpl::SrcHashImpl,CreateCompatibleDC,CreateCompatibleBitmap,FillRect,OpenClipboard,EmptyClipboard,CloseClipboard,SetClipboardData,CloseClipboard,0_2_00007FF732E531A4
Contains functionality to record screenshotsShow sources
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732DF2200 timeGetTime,CreateDCW,GetSystemMetrics,GetSystemMetrics,GetDeviceCaps,GetDeviceCaps,DeleteDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,GdiplusStartup,GdipAlloc,GdipCreateBitmapFromHBITMAP,SHGetFolderPathW,GetTempFileNameW,DeleteFileW,GdipSaveImageToFile,timeGetTime,GdiplusShutdown,SelectObject,DeleteObject,DeleteDC,DeleteDC,0_2_00007FF732DF2200
Contains functionality to retrieve information about pressed keystrokesShow sources
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732F232AC GetAsyncKeyState,SendMessageW,std::ios_base::~ios_base,SendMessageW,RedrawWindow,GetWindowRect,OffsetRect,IsWindow,0_2_00007FF732F232AC
Potential key logger detected (key state polling based)Show sources
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732F738B0 GetParent,ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,0_2_00007FF732F738B0
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732E3A7A8 MessageBeep,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,0_2_00007FF732E3A7A8

System Summary:

barindex
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732DEBB800_2_00007FF732DEBB80
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732DE3C200_2_00007FF732DE3C20
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732DF7D600_2_00007FF732DF7D60
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732DEAEB00_2_00007FF732DEAEB0
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732DE92D00_2_00007FF732DE92D0
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732FAD5D40_2_00007FF732FAD5D4
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732E49DB80_2_00007FF732E49DB8
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732E033E00_2_00007FF732E033E0
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732F7B4400_2_00007FF732F7B440
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732EF73E40_2_00007FF732EF73E4
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732F2F4540_2_00007FF732F2F454
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732F6B4980_2_00007FF732F6B498
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732EFB3880_2_00007FF732EFB388
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732F534E40_2_00007FF732F534E4
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732EC74B80_2_00007FF732EC74B8
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732DEF4A00_2_00007FF732DEF4A0
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732E8B4AC0_2_00007FF732E8B4AC
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732FA33B00_2_00007FF732FA33B0
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732F5F3BC0_2_00007FF732F5F3BC
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732E231E00_2_00007FF732E231E0
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732E531A40_2_00007FF732E531A4
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732F232AC0_2_00007FF732F232AC
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732E871600_2_00007FF732E87160
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732F972E80_2_00007FF732F972E8
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732DF33100_2_00007FF732DF3310
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732F271300_2_00007FF732F27130
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732F032700_2_00007FF732F03270
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732DF37E00_2_00007FF732DF37E0
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732E937E50_2_00007FF732E937E5
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732F778500_2_00007FF732F77850
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732E737780_2_00007FF732E73778
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732EDF7640_2_00007FF732EDF764
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732DFB7300_2_00007FF732DFB730
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732DE78C00_2_00007FF732DE78C0
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732F977D40_2_00007FF732F977D4
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732E4385C0_2_00007FF732E4385C
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732DEF8700_2_00007FF732DEF870
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732F6B7D00_2_00007FF732F6B7D0
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732E6B8400_2_00007FF732E6B840
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732E575E80_2_00007FF732E575E8
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732E0B5300_2_00007FF732E0B530
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732F8370C0_2_00007FF732F8370C
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732EAF5240_2_00007FF732EAF524
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732ED77080_2_00007FF732ED7708
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732F4354C0_2_00007FF732F4354C
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732E9B6DC0_2_00007FF732E9B6DC
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732F1B5680_2_00007FF732F1B568
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732F9756C0_2_00007FF732F9756C
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732E236380_2_00007FF732E23638
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732FABC380_2_00007FF732FABC38
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732E6FBA80_2_00007FF732E6FBA8
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732F1BCA40_2_00007FF732F1BCA4
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732DEFB400_2_00007FF732DEFB40
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732EC3B180_2_00007FF732EC3B18
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732E57CD00_2_00007FF732E57CD0
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732F5FB680_2_00007FF732F5FB68
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732F3BB700_2_00007FF732F3BB70
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732E53CA00_2_00007FF732E53CA0
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732ECBC780_2_00007FF732ECBC78
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732EDBC640_2_00007FF732EDBC64
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732E3FC580_2_00007FF732E3FC58
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732FA3BE00_2_00007FF732FA3BE0
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732E67C3C0_2_00007FF732E67C3C
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732FB3BEC0_2_00007FF732FB3BEC
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732F23A900_2_00007FF732F23A90
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732FA3AC00_2_00007FF732FA3AC0
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732E3B9600_2_00007FF732E3B960
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732E2F94C0_2_00007FF732E2F94C
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732F379980_2_00007FF732F37998
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732E43A380_2_00007FF732E43A38
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732F17A040_2_00007FF732F17A04
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732F6FA140_2_00007FF732F6FA14
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732F4806C0_2_00007FF732F4806C
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732F700880_2_00007FF732F70088
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732F580B40_2_00007FF732F580B4
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732F780C40_2_00007FF732F780C4
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732F0C0D40_2_00007FF732F0C0D4
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732F4FF440_2_00007FF732F4FF44
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732DE80D00_2_00007FF732DE80D0
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732F1FFEC0_2_00007FF732F1FFEC
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732DFC0200_2_00007FF732DFC020
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732F3C0080_2_00007FF732F3C008
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732F67E580_2_00007FF732F67E58
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732E83DB80_2_00007FF732E83DB8
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732F3FE780_2_00007FF732F3FE78
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732F6BEA80_2_00007FF732F6BEA8
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732E4BD700_2_00007FF732E4BD70
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732E93D340_2_00007FF732E93D34
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732F1A4440_2_00007FF732F1A444
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732F3A46C0_2_00007FF732F3A46C
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732F4E4B80_2_00007FF732F4E4B8
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732E023210_2_00007FF732E02321
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732ED25140_2_00007FF732ED2514
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732EC64E80_2_00007FF732EC64E8
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732FB635C0_2_00007FF732FB635C
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732F0A3780_2_00007FF732F0A378
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732ED64B40_2_00007FF732ED64B4
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732E7A4A00_2_00007FF732E7A4A0
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732DEA4500_2_00007FF732DEA450
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732DF22000_2_00007FF732DF2200
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732EA21F00_2_00007FF732EA21F0
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732F422840_2_00007FF732F42284
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732E061500_2_00007FF732E06150
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732DF61200_2_00007FF732DF6120
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732E9E2E80_2_00007FF732E9E2E8
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732F561D00_2_00007FF732F561D0
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732E322240_2_00007FF732E32224
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732E0A8100_2_00007FF732E0A810
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732E8A7FC0_2_00007FF732E8A7FC
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732F728480_2_00007FF732F72848
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732DE27800_2_00007FF732DE2780
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732E0E7900_2_00007FF732E0E790
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732EF27680_2_00007FF732EF2768
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732E3E7200_2_00007FF732E3E720
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732F367500_2_00007FF732F36750
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732ECA8CC0_2_00007FF732ECA8CC
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732F5A7C40_2_00007FF732F5A7C4
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732DF25D00_2_00007FF732DF25D0
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732EFE5800_2_00007FF732EFE580
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732EB655C0_2_00007FF732EB655C
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732DE25400_2_00007FF732DE2540
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732E525180_2_00007FF732E52518
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732F725380_2_00007FF732F72538
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732DEE6B00_2_00007FF732DEE6B0
Enables security privilegesShow sources
Source: C:\Users\user\Desktop\MossX64.exeProcess token adjusted: SecurityJump to behavior
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\Desktop\MossX64.exeCode function: String function: 00007FF732E0D18C appears 32 times
Source: C:\Users\user\Desktop\MossX64.exeCode function: String function: 00007FF732E85F1C appears 57 times
Source: C:\Users\user\Desktop\MossX64.exeCode function: String function: 00007FF732EACD40 appears 97 times
Source: C:\Users\user\Desktop\MossX64.exeCode function: String function: 00007FF732DE3AD0 appears 240 times
PE file contains executable resources (Code or Archives)Show sources
Source: MossX64.exeStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: MossX64.exeStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
PE file contains strange resourcesShow sources
Source: MossX64.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MossX64.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MossX64.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MossX64.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version infoShow sources
Source: MossX64.exeBinary or memory string: OriginalFilename vs MossX64.exe
Source: MossX64.exe, 00000000.00000002.2346807965.000001AB38540000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs MossX64.exe
Source: MossX64.exe, 00000000.00000000.1914800309.00007FF73310E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameGetCoreTempInfo.dll@ vs MossX64.exe
Source: MossX64.exe, 00000000.00000000.1914800309.00007FF73310E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameMOSS.exe* vs MossX64.exe
Source: MossX64.exe, 00000000.00000002.2339625780.000001AB349C0000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameD3D12.dllj% vs MossX64.exe
Source: MossX64.exeBinary or memory string: OriginalFilenameGetCoreTempInfo.dll@ vs MossX64.exe
Source: MossX64.exeBinary or memory string: OriginalFilenameMOSS.exe* vs MossX64.exe
Classification labelShow sources
Source: classification engineClassification label: mal56.evad.winEXE@1/3@1/1
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732DEBB80 CreateICW,GetDeviceCaps,GetDeviceCaps,DeleteDC,timeGetTime,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,DeleteFileW,LoadLibraryW,GetProcAddress,FreeLibrary,SHGetFolderPathA,PathAppendA,LoadCursorW,LoadIconW,LoadIconW,RegisterClassExW,CreateWindowExW,RegisterClassExW,GetDesktopWindow,CreateWindowExW,GetModuleHandleW,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetActiveWindow,MessageBoxW,SetLayeredWindowAttributes,ShowWindow,InvalidateRect,UpdateWindow,ShowWindow,0_2_00007FF732DEBB80
Contains functionality to instantiate COM classesShow sources
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732DF7D60 CoInitializeEx,CoCreateInstance,SysAllocString,SysFreeString,CoSetProxyBlanket,SysAllocString,SysFreeString,SysFreeString,VariantInit,WideCharToMultiByte,VariantClear,0_2_00007FF732DF7D60
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732DE3390 LoadResource,LockResource,SizeofResource,0_2_00007FF732DE3390
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\MossX64.exeFile created: C:\Users\user\Desktop\MOSS\Jump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: MossX64.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads software policiesShow sources
Source: C:\Users\user\Desktop\MossX64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Reads the hosts fileShow sources
Source: C:\Users\user\Desktop\MossX64.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\MossX64.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample is known by AntivirusShow sources
Source: MossX64.exeVirustotal: Detection: 36%
Source: MossX64.exeReversingLabs: Detection: 32%
PE file has a big code sizeShow sources
Source: MossX64.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
PE file has a high image base, often used for DLLsShow sources
Source: MossX64.exeStatic PE information: Image base 0x140000000 > 0x60000000
Submission file is bigger than most known malware samplesShow sources
Source: MossX64.exeStatic file information: File size 3450880 > 1048576
PE file has a big raw sectionShow sources
Source: MossX64.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x1e9600
PE file imports many functionsShow sources
Source: MossX64.exeStatic PE information: More than 200 imports for USER32.dll
PE file contains a mix of data directories often seen in goodwareShow sources
Source: MossX64.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: MossX64.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: MossX64.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: MossX64.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: MossX64.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: MossX64.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: MossX64.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
PE file contains a debug data directoryShow sources
Source: MossX64.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Binary contains paths to debug symbolsShow sources
Source: Binary string: E:\F\Test\CoreTempGadget\GetCoreTempInfo\Release\GetCoreTempInfo.pdb0 source: MossX64.exe
Source: Binary string: E:\sources\oc2017\x64\RandomD3D_x64\moss.pdb source: MossX64.exe
Source: Binary string: E:\F\Test\CoreTempGadget\GetCoreTempInfo\Release\GetCoreTempInfo.pdb source: MossX64.exe
Source: Binary string: E:\F\Test\CoreTempGadget\GetCoreTempInfo\x64\Release\GetCoreTempInfo.pdb source: MossX64.exe
PE file contains a valid data directory to section mappingShow sources
Source: MossX64.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: MossX64.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: MossX64.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: MossX64.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: MossX64.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732DEBB80 CreateICW,GetDeviceCaps,GetDeviceCaps,DeleteDC,timeGetTime,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,DeleteFileW,LoadLibraryW,GetProcAddress,FreeLibrary,SHGetFolderPathA,PathAppendA,LoadCursorW,LoadIconW,LoadIconW,RegisterClassExW,CreateWindowExW,RegisterClassExW,GetDesktopWindow,CreateWindowExW,GetModuleHandleW,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetActiveWindow,MessageBoxW,SetLayeredWindowAttributes,ShowWindow,InvalidateRect,UpdateWindow,ShowWindow,0_2_00007FF732DEBB80

Hooking and other Techniques for Hiding and Protection:

barindex
Contains functionality to check if a window is minimized (may be used to check if an application is visible)Show sources
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732EC74B8 GetClientRect,IsRectEmpty,IsWindow,IsIconic,BeginDeferWindowPos,GetClientRect,IsRectEmpty,GetWindowRect,GetParent,IsRectEmpty,EqualRect,EndDeferWindowPos,0_2_00007FF732EC74B8
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732ED3BE4 SetForegroundWindow,IsIconic,PostMessageW,IsIconic,0_2_00007FF732ED3BE4
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732ED3BE4 SetForegroundWindow,IsIconic,PostMessageW,IsIconic,0_2_00007FF732ED3BE4
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732E6C114 SetRectEmpty,RedrawWindow,ReleaseCapture,SetCapture,ReleaseCapture,SetCapture,GetParent,SendMessageW,UpdateWindow,GetParent,SendMessageW,IsWindow,IsIconic,IsZoomed,IsWindow,UpdateWindow,0_2_00007FF732E6C114
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732F0A378 IsWindowVisible,GetWindowRect,PtInRect,GetAsyncKeyState,ScreenToClient,PtInRect,SendMessageW,IsWindow,GetWindowRect,PtInRect,SendMessageW,ScreenToClient,PtInRect,GetParent,SendMessageW,GetFocus,WindowFromPoint,SendMessageW,GetSystemMenu,IsMenu,EnableMenuItem,EnableMenuItem,IsZoomed,IsIconic,EnableMenuItem,TrackPopupMenu,SendMessageW,0_2_00007FF732F0A378
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732E827B0 GetParent,IsIconic,GetParent,GetDlgCtrlID,0_2_00007FF732E827B0

Malware Analysis System Evasion:

barindex
Contains functionality to detect sleep reduction / modificationsShow sources
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732DECA500_2_00007FF732DECA50
Contains functionality to query network adapater informationShow sources
Source: C:\Users\user\Desktop\MossX64.exeCode function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetComputerNameA,GetUserNameA,GlobalMemoryStatusEx,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,0_2_00007FF732DFB730
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\Desktop\MossX64.exeAPI coverage: 6.0 %
Contains functionality to query system informationShow sources
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732FA7924 VirtualQuery,GetSystemInfo,VirtualAlloc,VirtualProtect,0_2_00007FF732FA7924
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: MossX64.exe, 00000000.00000002.2339509231.000001AB34973000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732DEAEB0 timeBeginPeriod,SetProcessDEPPolicy,LoadStringW,LoadStringW,LoadStringW,InitializeSecurityDescriptor,CreateSemaphoreW,GetLastError,CloseHandle,FindWindowW,SetForegroundWindow,MessageBoxW,IsDebuggerPresent,MessageBoxW,RegCreateKeyExW,RegQueryValueExA,PathFileExistsA,MultiByteToWideChar,PathAppendW,SHGetFolderPathW,PathAppendW,MessageBoxW,SetCurrentDirectoryW,LoadLibraryW,GetProcAddressForCaller,GetProcAddress,LoadAcceleratorsW,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,wsprintfW,DeleteFileW,MultiByteToWideChar,SetUnhandledExceptionFilter,MultiByteToWideChar,SysAllocString,SysFreeString,SysFreeString,timeGetTime,timeGetTime,wcsstr,RegCreateKeyExW,RegQueryValueExA,RegCloseKey,GetMessageW,TranslateAcceleratorW,TranslateMessage,DispatchMessageW,GetMessageW,FreeLibrary,timeEndPeriod,CoUninitialize,MessageBoxW,_invalid_parameter_noinfo_noreturn,0_2_00007FF732DEAEB0
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)Show sources
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732F8FD20 GetLastError,IsDebuggerPresent,OutputDebugStringW,0_2_00007FF732F8FD20
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732DEBB80 CreateICW,GetDeviceCaps,GetDeviceCaps,DeleteDC,timeGetTime,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,DeleteFileW,LoadLibraryW,GetProcAddress,FreeLibrary,SHGetFolderPathA,PathAppendA,LoadCursorW,LoadIconW,LoadIconW,RegisterClassExW,CreateWindowExW,RegisterClassExW,GetDesktopWindow,CreateWindowExW,GetModuleHandleW,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetActiveWindow,MessageBoxW,SetLayeredWindowAttributes,ShowWindow,InvalidateRect,UpdateWindow,ShowWindow,0_2_00007FF732DEBB80
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732DFB730 GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetComputerNameA,GetUserNameA,GlobalMemoryStatusEx,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,0_2_00007FF732DFB730
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732F8F3F0 SetUnhandledExceptionFilter,_invalid_parameter_noinfo,0_2_00007FF732F8F3F0
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732DEAEB0 timeBeginPeriod,SetProcessDEPPolicy,LoadStringW,LoadStringW,LoadStringW,InitializeSecurityDescriptor,CreateSemaphoreW,GetLastError,CloseHandle,FindWindowW,SetForegroundWindow,MessageBoxW,IsDebuggerPresent,MessageBoxW,RegCreateKeyExW,RegQueryValueExA,PathFileExistsA,MultiByteToWideChar,PathAppendW,SHGetFolderPathW,PathAppendW,MessageBoxW,SetCurrentDirectoryW,LoadLibraryW,GetProcAddressForCaller,GetProcAddress,LoadAcceleratorsW,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,wsprintfW,DeleteFileW,MultiByteToWideChar,SetUnhandledExceptionFilter,MultiByteToWideChar,SysAllocString,SysFreeString,SysFreeString,timeGetTime,timeGetTime,wcsstr,RegCreateKeyExW,RegQueryValueExA,RegCloseKey,GetMessageW,TranslateAcceleratorW,TranslateMessage,DispatchMessageW,GetMessageW,FreeLibrary,timeEndPeriod,CoUninitialize,MessageBoxW,_invalid_parameter_noinfo_noreturn,0_2_00007FF732DEAEB0
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732F8FB60 SetUnhandledExceptionFilter,0_2_00007FF732F8FB60
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732F8F97C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF732F8F97C

HIPS / PFW / Operating System Protection Evasion:

barindex
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)Show sources
Source: C:\Users\user\Desktop\MossX64.exeCode function: strstr,EnumProcesses,OpenProcess,GetModuleFileNameExW,wcsstr,WideCharToMultiByte,strstr,IsWow64Process,wcsstr,SysAllocString,strrchr,strstr,SysFreeString,MultiByteToWideChar,WideCharToMultiByte,MultiByteToWideChar,CloseHandle,timeGetTime, System32\svchost.exe0_2_00007FF732DEFB40
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: MossX64.exe, 00000000.00000002.2339836850.000001AB34E20000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: MossX64.exe, 00000000.00000002.2339836850.000001AB34E20000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: MossX64.exe, 00000000.00000002.2339836850.000001AB34E20000.00000002.00000001.sdmpBinary or memory string: Progman
Source: MossX64.exe, 00000000.00000002.2339836850.000001AB34E20000.00000002.00000001.sdmpBinary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\user\Desktop\MossX64.exeCode function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00007FF732FBB380
Source: C:\Users\user\Desktop\MossX64.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_00007FF732FBB1A4
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732F8FBA8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF732F8FBA8
Contains functionality to query the account / user nameShow sources
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732DFB730 GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetComputerNameA,GetUserNameA,GlobalMemoryStatusEx,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,0_2_00007FF732DFB730
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\MossX64.exeCode function: 0_2_00007FF732E0E790 GetVersionExW,wcschr,CoInitializeEx,CoCreateInstance,0_2_00007FF732E0E790

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Simulations

Behavior and APIs

No simulations

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
MossX64.exe36%VirustotalBrowse
MossX64.exe32%ReversingLabsWin64.PUA.Johnnie

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://nohope.euopenhttps://twitter.com/intent/follow?original_referer=Moss&ref_src=twsrc%5Etfw&scre0%Avira URL Cloudsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Sigma Overview

No Sigma rule has matched

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
unknowninvoice No.4510.xlsGet hashmaliciousBrowse
  • 52.114.132.20
invoice No.4510.xlsGet hashmaliciousBrowse
  • 8.208.28.247
https://securedfilx.com/365/login.phpGet hashmaliciousBrowse
  • 162.144.38.191
https://coronavirus-map.comGet hashmaliciousBrowse
  • 34.98.67.61
Coffey.com Attachment_37934.htmGet hashmaliciousBrowse
  • 162.241.87.39
http://bit.do/fzr7EGet hashmaliciousBrowse
  • 54.83.52.76
Corona-virus-Map.com.exeGet hashmaliciousBrowse
  • 18.234.22.29
certid12245UK.docxGet hashmaliciousBrowse
  • 104.17.241.204
certid12245UK.docxGet hashmaliciousBrowse
  • 143.204.98.76
https://confiden022.z19.web.core.windows.net/#quyen.moreland@exeterfinance.comGet hashmaliciousBrowse
  • 52.97.189.98
http://icitius33xxx10314522289466.com/newavpn_encrypted_4D67F00.binGet hashmaliciousBrowse
  • 104.168.163.235
https://xn--2-0mcib2cb7l.azurewebsites.net/16jamsbnedwardsGet hashmaliciousBrowse
  • 104.16.124.175
IRS.Letter.059263.docGet hashmaliciousBrowse
  • 192.168.2.255
http://cirugiacanariadelpie.com/.com/Get hashmaliciousBrowse
  • 104.28.6.34
Resume.xlsGet hashmaliciousBrowse
  • 172.217.23.193
rEP1O3OlIL.exeGet hashmaliciousBrowse
  • 77.88.21.158
Remittance_Advice_PET.jarGet hashmaliciousBrowse
  • 66.171.248.178
https://vapers-coalition.com/ems/post/china/logistic/intraship/index.php?email=bing.li@jungheinrich.cnGet hashmaliciousBrowse
  • 211.156.201.16
Remittance_Advice_PET.jarGet hashmaliciousBrowse
  • 66.171.248.178
UpdateFlashPlayer_11_5_1.apkGet hashmaliciousBrowse
  • 216.58.201.99

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.