Analysis Report RFlc8JHObG

Overview

General Information

Sample Name:	RFlc8JHObG (renamed file extension from none to exe)
Analysis ID:	372416
MD5:	9babe52f985b2b4193113d5c260eb195
SHA1:	b4b4772d485d7d4192774aca3a9c594f82717adb
SHA256:	ca2ab2eb8249afceb6b9f42bac54fe8635fb5ccbf4e497c35ed700d9dae1c2d1
Tags:	unnamed9
Infos:
Most interesting Screenshot:

Detection

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Multi AV Scanner detection for submitted file

Machine Learning detection for sample

Antivirus or Machine Learning detection for unpacked file

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to enumerate network shares

Contains functionality to launch a process as a different user

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

May initialize a security null descriptor

Program does not show much activity (idle)

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: RFlc8JHObG.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: RFlc8JHObG.exe	Virustotal: Detection: 84%			Perma Link
Source: RFlc8JHObG.exe	ReversingLabs: Detection: 88%

Machine Learning detection for sample

Source: RFlc8JHObG.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 1.2.RFlc8JHObG.exe.2bd0000.2.unpack	Avira: Label: TR/Kazy.MK
Source: 1.2.RFlc8JHObG.exe.400000.0.unpack	Avira: Label: TR/Kazy.MK

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\RFlc8JHObG.exe	Code function: 1_2_00409D29 CryptUnprotectData,LocalFree,		1_2_00409D29
Source: C:\Users\user\Desktop\RFlc8JHObG.exe	Code function: 1_2_004123AB CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,		1_2_004123AB

Compliance:

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\RFlc8JHObG.exe

Unpacked PE file: 1.2.RFlc8JHObG.exe.400000.0.unpack

Uses 32bit PE files

Source: RFlc8JHObG.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source:

Binary string: T:\fbgFd\faQgZ\bvjZalie\jRgyey\zBPowcgb.pdb source: RFlc8JHObG.exe

Spreading:

Contains functionality to enumerate network shares

Source: C:\Users\user\Desktop\RFlc8JHObG.exe

Code function: 1_2_004054D0 GetFileAttributesExW,ReadProcessMemory,LoadLibraryW,GetProcAddress,SHGetFolderPathW,StrCmpNIW,FreeLibrary,NetUserEnum,NetUserGetInfo,NetApiBufferFree,NetApiBufferFree,SHGetFolderPathW,

1_2_004054D0

Source: C:\Users\user\Desktop\RFlc8JHObG.exe	Code function: 1_2_0041652E PathRemoveFileSpecW,FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,		1_2_0041652E
Source: C:\Users\user\Desktop\RFlc8JHObG.exe	Code function: 1_2_004165E9 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,		1_2_004165E9

Source: C:\Users\user\Desktop\RFlc8JHObG.exe

Code function: 1_2_0041404D select,recv,

1_2_0041404D

Source: RFlc8JHObG.exe	String found in binary or memory: http://www.internic.net/images/internic.gif
Source: RFlc8JHObG.exe, 00000001.00000002.200757968.0000000002BD0000.00000004.00000001.sdmp	String found in binary or memory: http://www.internic.net/images/internic.gifbclih6h5h4h3h2h1divtdtrhrbr

System Summary:

Contains functionality to call native functions

Source: C:\Users\user\Desktop\RFlc8JHObG.exe	Code function: 1_2_0040ED74 NtCreateUserProcess,NtCreateThread,LdrLoadDll,GetFileAttributesExW,HttpSendRequestW,HttpSendRequestA,HttpSendRequestExW,HttpSendRequestExA,InternetCloseHandle,InternetReadFile,InternetReadFileExA,InternetQueryDataAvailable,HttpQueryInfoA,closesocket,send,WSASend,OpenInputDesktop,SwitchDesktop,DefWindowProcW,DefWindowProcA,DefDlgProcW,DefDlgProcA,DefFrameProcW,DefFrameProcA,DefMDIChildProcW,DefMDIChildProcA,CallWindowProcW,CallWindowProcA,RegisterClassW,RegisterClassA,RegisterClassExW,RegisterClassExA,BeginPaint,EndPaint,GetDCEx,GetDC,GetWindowDC,ReleaseDC,GetUpdateRect,GetUpdateRgn,GetMessagePos,GetCursorPos,SetCursorPos,SetCapture,ReleaseCapture,GetCapture,GetMessageW,GetMessageA,PeekMessageW,PeekMessageA,PFXImportCertStore,	1_2_0040ED74
Source: C:\Users\user\Desktop\RFlc8JHObG.exe	Code function: 1_2_0040E904 NtQueryInformationProcess,CloseHandle,NtCreateThread,	1_2_0040E904
Source: C:\Users\user\Desktop\RFlc8JHObG.exe	Code function: 1_2_0040E9BB NtCreateUserProcess,GetProcessId,GetThreadContext,SetThreadContext,VirtualFreeEx,CloseHandle,	1_2_0040E9BB

Contains functionality to launch a process as a different user

Source: C:\Users\user\Desktop\RFlc8JHObG.exe

Code function: 1_2_00412A28 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessAsUserW,CloseHandle,CloseHandle,CloseHandle,FreeLibrary,

1_2_00412A28

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\RFlc8JHObG.exe	Code function: 1_2_0040716E CreateMutexW,GetLastError,CloseHandle,CloseHandle,ExitWindowsEx,OpenEventW,SetEvent,CloseHandle,CloseHandle,GetFileAttributesExW,ReadProcessMemory,GetFileAttributesExW,ReadProcessMemory,Sleep,IsWellKnownSid,GetFileAttributesExW,ReadProcessMemory,GetFileAttributesExW,VirtualFree,CreateEventW,WaitForSingleObject,WaitForMultipleObjects,CloseHandle,CloseHandle,CloseHandle,CloseHandle,		1_2_0040716E
Source: C:\Users\user\Desktop\RFlc8JHObG.exe	Code function: 1_2_0040D61F InitiateSystemShutdownExW,ExitWindowsEx,		1_2_0040D61F

Detected potential crypto function

Source: C:\Users\user\Desktop\RFlc8JHObG.exe	Code function: 1_2_00413E5D	1_2_00413E5D
Source: C:\Users\user\Desktop\RFlc8JHObG.exe	Code function: 1_2_0040168B	1_2_0040168B
Source: C:\Users\user\Desktop\RFlc8JHObG.exe	Code function: 1_2_004122B7	1_2_004122B7
Source: C:\Users\user\Desktop\RFlc8JHObG.exe	Code function: 1_2_02442209	1_2_02442209
Source: C:\Users\user\Desktop\RFlc8JHObG.exe	Code function: 1_2_02457E13	1_2_02457E13
Source: C:\Users\user\Desktop\RFlc8JHObG.exe	Code function: 1_2_02459A29	1_2_02459A29
Source: C:\Users\user\Desktop\RFlc8JHObG.exe	Code function: 1_2_02442699	1_2_02442699
Source: C:\Users\user\Desktop\RFlc8JHObG.exe	Code function: 1_2_024590B3	1_2_024590B3
Source: C:\Users\user\Desktop\RFlc8JHObG.exe	Code function: 1_2_024595E0	1_2_024595E0
Source: C:\Users\user\Desktop\RFlc8JHObG.exe	Code function: 1_2_0244266E	1_2_0244266E
Source: C:\Users\user\Desktop\RFlc8JHObG.exe	Code function: 1_2_02442F44	1_2_02442F44
Source: C:\Users\user\Desktop\RFlc8JHObG.exe	Code function: 1_2_0245AB1C	1_2_0245AB1C
Source: C:\Users\user\Desktop\RFlc8JHObG.exe	Code function: 1_2_024413C7	1_2_024413C7
Source: C:\Users\user\Desktop\RFlc8JHObG.exe	Code function: 1_2_02459F88	1_2_02459F88
Source: C:\Users\user\Desktop\RFlc8JHObG.exe	Code function: 1_2_0245AC60	1_2_0245AC60
Source: C:\Users\user\Desktop\RFlc8JHObG.exe	Code function: 1_2_02441000	1_2_02441000
Source: C:\Users\user\Desktop\RFlc8JHObG.exe	Code function: 1_2_024598C3	1_2_024598C3
Source: C:\Users\user\Desktop\RFlc8JHObG.exe	Code function: 1_2_0245B0E3	1_2_0245B0E3
Source: C:\Users\user\Desktop\RFlc8JHObG.exe	Code function: 1_2_0245890F	1_2_0245890F
Source: C:\Users\user\Desktop\RFlc8JHObG.exe	Code function: 1_2_0245A912	1_2_0245A912
Source: C:\Users\user\Desktop\RFlc8JHObG.exe	Code function: 1_2_0245A9BA	1_2_0245A9BA

Uses 32bit PE files

Source: RFlc8JHObG.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: RFlc8JHObG.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal76.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\RFlc8JHObG.exe	Code function: 1_2_0040D4F4 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore,		1_2_0040D4F4
Source: C:\Users\user\Desktop\RFlc8JHObG.exe	Code function: 1_2_0040760C CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore,		1_2_0040760C

Source: C:\Users\user\Desktop\RFlc8JHObG.exe

Code function: 1_2_004127D2 GetCurrentThread,OpenThreadToken,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,

1_2_004127D2

Source: C:\Users\user\Desktop\RFlc8JHObG.exe

Code function: 1_2_0040CC7E CloseHandle,CloseHandle,CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,CloseHandle,GetLengthSid,CloseHandle,Process32NextW,CloseHandle,

1_2_0040CC7E

Source: C:\Users\user\Desktop\RFlc8JHObG.exe

Code function: 1_2_0040A448 CoCreateInstance,

1_2_0040A448

Source: C:\Users\user\Desktop\RFlc8JHObG.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RFlc8JHObG.exe	Virustotal: Detection: 84%
Source: RFlc8JHObG.exe	ReversingLabs: Detection: 88%

Source:

Binary string: T:\fbgFd\faQgZ\bvjZalie\jRgyey\zBPowcgb.pdb source: RFlc8JHObG.exe

Data Obfuscation:

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\RFlc8JHObG.exe

Unpacked PE file: 1.2.RFlc8JHObG.exe.400000.0.unpack .text:ER;.data:EW;.itext:R;.rsrc:R;.idata:R; vs .text:ER;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\RFlc8JHObG.exe

Unpacked PE file: 1.2.RFlc8JHObG.exe.400000.0.unpack

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\RFlc8JHObG.exe

Code function: 1_2_00414CC6 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,HeapCreate,FreeLibrary,

1_2_00414CC6

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\RFlc8JHObG.exe	Code function: 1_2_00401915 push es; iretd	1_2_00401924
Source: C:\Users\user\Desktop\RFlc8JHObG.exe	Code function: 1_2_00401FE1 push cs; iretd	1_2_00401FF0
Source: C:\Users\user\Desktop\RFlc8JHObG.exe	Code function: 1_2_00401FAB push cs; ret	1_2_00401FC0
Source: C:\Users\user\Desktop\RFlc8JHObG.exe	Code function: 1_2_02447857 push esi; iretd	1_2_024478AD
Source: C:\Users\user\Desktop\RFlc8JHObG.exe	Code function: 1_2_024445E5 pushfd ; iretd	1_2_024445FB

Source: initial sample	Static PE information: section name: .text entropy: 6.99040926415
Source: initial sample	Static PE information: section name: .data entropy: 7.18553169486

Malware Analysis System Evasion:

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\RFlc8JHObG.exe	Code function: 1_2_0041652E PathRemoveFileSpecW,FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,		1_2_0041652E
Source: C:\Users\user\Desktop\RFlc8JHObG.exe	Code function: 1_2_004165E9 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,		1_2_004165E9

Anti Debugging:

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\RFlc8JHObG.exe

Code function: 1_2_0040ED74 NtCreateUserProcess,NtCreateThread,LdrLoadDll,GetFileAttributesExW,HttpSendRequestW,HttpSendRequestA,HttpSendRequestExW,HttpSendRequestExA,InternetCloseHandle,InternetReadFile,InternetReadFileExA,InternetQueryDataAvailable,HttpQueryInfoA,closesocket,send,WSASend,OpenInputDesktop,SwitchDesktop,DefWindowProcW,DefWindowProcA,DefDlgProcW,DefDlgProcA,DefFrameProcW,DefFrameProcA,DefMDIChildProcW,DefMDIChildProcA,CallWindowProcW,CallWindowProcA,RegisterClassW,RegisterClassA,RegisterClassExW,RegisterClassExA,BeginPaint,EndPaint,GetDCEx,GetDC,GetWindowDC,ReleaseDC,GetUpdateRect,GetUpdateRgn,GetMessagePos,GetCursorPos,SetCursorPos,SetCapture,ReleaseCapture,GetCapture,GetMessageW,GetMessageA,PeekMessageW,PeekMessageA,PFXImportCertStore,

1_2_0040ED74

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\RFlc8JHObG.exe

Code function: 1_2_00414CC6 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,HeapCreate,FreeLibrary,

1_2_00414CC6

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\RFlc8JHObG.exe

Code function: 1_2_004061F9 mov edx, dword ptr fs:[00000030h]

1_2_004061F9

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\RFlc8JHObG.exe

Code function: 1_2_00406532 GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,HeapCreate,GetProcessHeap,InitializeCriticalSection,WSAStartup,CreateEventW,GetLengthSid,GetCurrentProcessId,

1_2_00406532

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\RFlc8JHObG.exe

Code function: 1_2_004145CF InitializeSecurityDescriptor,SetSecurityDescriptorDacl,ConvertStringSecurityDescriptorToSecurityDescriptorW,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,LocalFree,

1_2_004145CF

Source: C:\Users\user\Desktop\RFlc8JHObG.exe

Code function: 1_2_00411208 GetSystemTime,SystemTimeToFileTime,

1_2_00411208

Source: C:\Users\user\Desktop\RFlc8JHObG.exe

Code function: 1_2_004104D7 GetTickCount,GetUserDefaultUILanguage,GetModuleFileNameW,GetUserNameExW,

1_2_004104D7

Source: C:\Users\user\Desktop\RFlc8JHObG.exe

Code function: 1_2_00411230 GetTimeZoneInformation,

1_2_00411230

Source: C:\Users\user\Desktop\RFlc8JHObG.exe

Code function: 1_2_004078CA GetProcAddress,GetVersionExW,

1_2_004078CA

Lowering of HIPS / PFW / Operating System Security Settings:

May initialize a security null descriptor

Source: RFlc8JHObG.exe

Binary or memory string: S:(ML;;NRNWNX;;;LW)

Remote Access Functionality:

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\Desktop\RFlc8JHObG.exe	Code function: 1_2_00414400 socket,bind,closesocket,		1_2_00414400
Source: C:\Users\user\Desktop\RFlc8JHObG.exe	Code function: 1_2_00414164 socket,bind,listen,closesocket,		1_2_00414164

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

ID:	372416
Product:	CloudBasic
Start time:	14:07:10
Start date:	20.03.2021
Sample:	RFlc8JHObG
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	9babe52f985b2b4193113d5c260eb195
SHA1:	b4b4772d485d7d4192774aca3a9c594f82717adb
SHA256:	ca2ab2eb8249afceb6b9f42bac54fe8635fb5ccbf4e497c35ed700d9dae1c2d1
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Analysis Report RFlc8JHObG

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

System Summary:

Data Obfuscation:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map