Analysis Report vovy0jYEM7

Overview

General Information

Sample Name:	vovy0jYEM7 (renamed file extension from none to exe)
Analysis ID:	376942
MD5:	ac98d2d71f3a4998abe80dd6e0695fba
SHA1:	76b5d3fd16c3e761022ebd7f3f5fc34f022fcc04
SHA256:	98d33cf483b14fbdab3a470a9452bcea672da54da1131330babcbb40572719e8
Tags:	uncategorized
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Contains functionality to detect sleep reduction / modifications

Machine Learning detection for sample

Antivirus or Machine Learning detection for unpacked file

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to enumerate network shares

Contains functionality to launch a process as a different user

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

May check if the current machine is a sandbox (GetTickCount - Sleep)

Program does not show much activity (idle)

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: vovy0jYEM7.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: vovy0jYEM7.exe	Virustotal: Detection: 89%			Perma Link
Source: vovy0jYEM7.exe	ReversingLabs: Detection: 96%

Machine Learning detection for sample

Source: vovy0jYEM7.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 0.2.vovy0jYEM7.exe.400000.0.unpack	Avira: Label: TR/Kazy.MK
Source: 0.0.vovy0jYEM7.exe.400000.0.unpack	Avira: Label: TR/Kazy.MK

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\vovy0jYEM7.exe	Code function: 0_2_0040F4DA CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,		0_2_0040F4DA
Source: C:\Users\user\Desktop\vovy0jYEM7.exe	Code function: 0_2_00418EF0 CryptUnprotectData,LocalFree,		0_2_00418EF0

Compliance:

Uses 32bit PE files

Source: vovy0jYEM7.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Spreading:

Contains functionality to enumerate network shares

Source: C:\Users\user\Desktop\vovy0jYEM7.exe

Code function: 0_2_0041D2D2 GetFileAttributesExW,ReadProcessMemory,LoadLibraryW,GetProcAddress,SHGetFolderPathW,StrCmpNIW,FreeLibrary,NetUserEnum,NetUserGetInfo,NetApiBufferFree,NetApiBufferFree,SHGetFolderPathW,

0_2_0041D2D2

Source: C:\Users\user\Desktop\vovy0jYEM7.exe	Code function: 0_2_00413951 FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,	0_2_00413951
Source: C:\Users\user\Desktop\vovy0jYEM7.exe	Code function: 0_2_00413A0C FindFirstFileW,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,	0_2_00413A0C
Source: C:\Users\user\Desktop\vovy0jYEM7.exe	Code function: 0_2_0041676F ReadFile,CloseHandle,CloseHandle,PathIsDirectoryW,CreateFileW,FindFirstFileW,FindClose,SetFilePointerEx,GetFileTime,FileTimeToSystemTime,wsprintfW,CloseHandle,ShellExecuteW,GetLastError,MoveFileW,GetLastError,PathIsDirectoryW,CreateDirectoryW,GetLastError,FindFirstFileW,FileTimeToSystemTime,wsprintfW,FindNextFileW,FindClose,GetLogicalDriveStringsA,GetDriveTypeA,WriteFile,GetLastError,GetTempPathW,CreateFileW,SetFilePointerEx,GetLastError,CloseHandle,CloseHandle,	0_2_0041676F
Source: C:\Users\user\Desktop\vovy0jYEM7.exe	Code function: 0_2_0041BB83 PathCombineW,PathIsDirectoryW,FindFirstFileW,FindNextFileW,FindClose,	0_2_0041BB83

Source: C:\Users\user\Desktop\vovy0jYEM7.exe

Code function: 0_2_0041676F ReadFile,CloseHandle,CloseHandle,PathIsDirectoryW,CreateFileW,FindFirstFileW,FindClose,SetFilePointerEx,GetFileTime,FileTimeToSystemTime,wsprintfW,CloseHandle,ShellExecuteW,GetLastError,MoveFileW,GetLastError,PathIsDirectoryW,CreateDirectoryW,GetLastError,FindFirstFileW,FileTimeToSystemTime,wsprintfW,FindNextFileW,FindClose,GetLogicalDriveStringsA,GetDriveTypeA,WriteFile,GetLastError,GetTempPathW,CreateFileW,SetFilePointerEx,GetLastError,CloseHandle,CloseHandle,

0_2_0041676F

Source: C:\Users\user\Desktop\vovy0jYEM7.exe

Code function: 0_2_0041596B getaddrinfo,freeaddrinfo,getsockname,getpeername,recv,recvfrom,getaddrinfo,freeaddrinfo,sendto,recvfrom,sendto,select,

0_2_0041596B

Source: vovy0jYEM7.exe	String found in binary or memory: http://adrotate.sytes.net/cfgg.bin
Source: vovy0jYEM7.exe	String found in binary or memory: http://www.google.com/webhp
Source: vovy0jYEM7.exe	String found in binary or memory: http://www.google.com/webhpbc

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality to read the clipboard data

Source: C:\Users\user\Desktop\vovy0jYEM7.exe

Code function: 0_2_0040D447 NtCreateUserProcess,NtCreateThread,LdrLoadDll,GetFileAttributesExW,closesocket,send,WSASend,TranslateMessage,GetClipboardData,PFXImportCertStore,

0_2_0040D447

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\vovy0jYEM7.exe

Code function: 0_2_0041D7B7 EnterCriticalSection,GetTickCount,LeaveCriticalSection,GetKeyboardState,ToUnicode,TranslateMessage,

0_2_0041D7B7

System Summary:

Contains functionality to call native functions

Source: C:\Users\user\Desktop\vovy0jYEM7.exe	Code function: 0_2_0040D447 NtCreateUserProcess,NtCreateThread,LdrLoadDll,GetFileAttributesExW,closesocket,send,WSASend,TranslateMessage,GetClipboardData,PFXImportCertStore,	0_2_0040D447
Source: C:\Users\user\Desktop\vovy0jYEM7.exe	Code function: 0_2_00415563 NtQueryInformationProcess,CloseHandle,NtCreateThread,	0_2_00415563
Source: C:\Users\user\Desktop\vovy0jYEM7.exe	Code function: 0_2_0041561A NtCreateUserProcess,GetProcessId,GetThreadContext,SetThreadContext,VirtualFreeEx,CloseHandle,	0_2_0041561A

Contains functionality to launch a process as a different user

Source: C:\Users\user\Desktop\vovy0jYEM7.exe

Code function: 0_2_0040FBAD lstrcpyA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessAsUserW,CloseHandle,CloseHandle,CloseHandle,FreeLibrary,

0_2_0040FBAD

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\vovy0jYEM7.exe	Code function: 0_2_00405B5C CreateMutexW,GetLastError,CloseHandle,GetTickCount,GetTickCount,Sleep,GetTickCount,ExitWindowsEx,OpenEventW,SetEvent,CloseHandle,CloseHandle,OpenMutexW,GetFileAttributesExW,ReadProcessMemory,CloseHandle,GetFileAttributesExW,ReadProcessMemory,Sleep,Sleep,IsWellKnownSid,GetFileAttributesExW,ReadProcessMemory,GetFileAttributesExW,VirtualFree,CreateEventW,WaitForSingleObject,WaitForMultipleObjects,CloseHandle,CloseHandle,CloseHandle,CloseHandle,		0_2_00405B5C
Source: C:\Users\user\Desktop\vovy0jYEM7.exe	Code function: 0_2_0040DBFD InitiateSystemShutdownExW,ExitWindowsEx,		0_2_0040DBFD

Detected potential crypto function

Source: C:\Users\user\Desktop\vovy0jYEM7.exe	Code function: 0_2_004110A3	0_2_004110A3
Source: C:\Users\user\Desktop\vovy0jYEM7.exe	Code function: 0_2_00409D36	0_2_00409D36
Source: C:\Users\user\Desktop\vovy0jYEM7.exe	Code function: 0_2_0040C98B	0_2_0040C98B
Source: C:\Users\user\Desktop\vovy0jYEM7.exe	Code function: 0_2_0041676F	0_2_0041676F
Source: C:\Users\user\Desktop\vovy0jYEM7.exe	Code function: 0_2_0040F3E6	0_2_0040F3E6
Source: C:\Users\user\Desktop\vovy0jYEM7.exe	Code function: 0_2_0041CBF9	0_2_0041CBF9
Source: C:\Users\user\Desktop\vovy0jYEM7.exe	Code function: 0_2_0040BFBE	0_2_0040BFBE

Uses 32bit PE files

Source: vovy0jYEM7.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: classification engine

Classification label: mal64.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\vovy0jYEM7.exe	Code function: 0_2_0041C435 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore,		0_2_0041C435
Source: C:\Users\user\Desktop\vovy0jYEM7.exe	Code function: 0_2_0041C5AA CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore,		0_2_0041C5AA

Source: C:\Users\user\Desktop\vovy0jYEM7.exe

Code function: 0_2_0040F901 GetCurrentThread,OpenThreadToken,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,

0_2_0040F901

Source: C:\Users\user\Desktop\vovy0jYEM7.exe

Code function: 0_2_0040F8AA CreateToolhelp32Snapshot,Thread32First,Thread32Next,CloseHandle,

0_2_0040F8AA

Source: C:\Users\user\Desktop\vovy0jYEM7.exe

Code function: 0_2_0041484B CoCreateInstance,VariantInit,SysAllocString,VariantClear,

0_2_0041484B

Source: vovy0jYEM7.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\vovy0jYEM7.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: vovy0jYEM7.exe	Virustotal: Detection: 89%
Source: vovy0jYEM7.exe	ReversingLabs: Detection: 96%

Data Obfuscation:

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\vovy0jYEM7.exe

Code function: 0_2_004120AD LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,HeapCreate,FreeLibrary,

0_2_004120AD

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\vovy0jYEM7.exe

Code function: 0_2_0041D191 push 6B9D6F03h; retn 0008h

0_2_0041D196

Hooking and other Techniques for Hiding and Protection:

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\vovy0jYEM7.exe

Code function: 0_2_00414C33 lstrcpyA,lstrcpyA,lstrcpyA,GetProcAddress,GetProcAddress,lstrcpyA,GetProcAddress,lstrcpyA,GetProcAddress,lstrcpyA,GetProcAddress,lstrcpyA,GetProcAddress,lstrcpyA,GetProcAddress,lstrcpyA,GetProcAddress,lstrcpyA,GetProcAddress,lstrcpyA,GetProcAddress,lstrcpyA,GetProcAddress,lstrcpyA,GetProcAddress,

0_2_00414C33

Malware Analysis System Evasion:

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\user\Desktop\vovy0jYEM7.exe	Code function: 0_2_00416504		0_2_00416504
Source: C:\Users\user\Desktop\vovy0jYEM7.exe	Code function: 0_2_00405B5C		0_2_00405B5C

May check if the current machine is a sandbox (GetTickCount - Sleep)

Source: C:\Users\user\Desktop\vovy0jYEM7.exe

Code function: 0_2_00405B5C

0_2_00405B5C

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\vovy0jYEM7.exe	Code function: 0_2_00413951 FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,	0_2_00413951
Source: C:\Users\user\Desktop\vovy0jYEM7.exe	Code function: 0_2_00413A0C FindFirstFileW,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,	0_2_00413A0C
Source: C:\Users\user\Desktop\vovy0jYEM7.exe	Code function: 0_2_0041676F ReadFile,CloseHandle,CloseHandle,PathIsDirectoryW,CreateFileW,FindFirstFileW,FindClose,SetFilePointerEx,GetFileTime,FileTimeToSystemTime,wsprintfW,CloseHandle,ShellExecuteW,GetLastError,MoveFileW,GetLastError,PathIsDirectoryW,CreateDirectoryW,GetLastError,FindFirstFileW,FileTimeToSystemTime,wsprintfW,FindNextFileW,FindClose,GetLogicalDriveStringsA,GetDriveTypeA,WriteFile,GetLastError,GetTempPathW,CreateFileW,SetFilePointerEx,GetLastError,CloseHandle,CloseHandle,	0_2_0041676F
Source: C:\Users\user\Desktop\vovy0jYEM7.exe	Code function: 0_2_0041BB83 PathCombineW,PathIsDirectoryW,FindFirstFileW,FindNextFileW,FindClose,	0_2_0041BB83

Source: C:\Users\user\Desktop\vovy0jYEM7.exe

0_2_0041676F

Anti Debugging:

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\vovy0jYEM7.exe

Code function: 0_2_0040D447 NtCreateUserProcess,NtCreateThread,LdrLoadDll,GetFileAttributesExW,closesocket,send,WSASend,TranslateMessage,GetClipboardData,PFXImportCertStore,

0_2_0040D447

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\vovy0jYEM7.exe

Code function: 0_2_004120AD LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,HeapCreate,FreeLibrary,

0_2_004120AD

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\vovy0jYEM7.exe

Code function: 0_2_00404E5C GetModuleHandleW,GetModuleHandleW,lstrcpyA,lstrcpyA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrcpyA,GetProcAddress,lstrcpyA,GetProcAddress,HeapCreate,GetProcessHeap,InitializeCriticalSection,WSAStartup,CreateEventW,GetLengthSid,GetCurrentProcessId,

0_2_00404E5C

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\vovy0jYEM7.exe

Code function: 0_2_004118F9 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,lstrcpyW,ConvertStringSecurityDescriptorToSecurityDescriptorW,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,LocalFree,

0_2_004118F9

Source: C:\Users\user\Desktop\vovy0jYEM7.exe

Code function: 0_2_0041C435 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore,

0_2_0041C435

Source: C:\Users\user\Desktop\vovy0jYEM7.exe

Code function: 0_2_0041DB15 GetTickCount,GetUserDefaultUILanguage,GetModuleFileNameW,GetUserNameExW,

0_2_0041DB15

Source: C:\Users\user\Desktop\vovy0jYEM7.exe

Code function: 0_2_0040E35F GetTimeZoneInformation,

0_2_0040E35F

Source: C:\Users\user\Desktop\vovy0jYEM7.exe

Code function: 0_2_004054A1 GetComputerNameW,GetVersionExW,RegOpenKeyExW,

0_2_004054A1

Remote Access Functionality:

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\Desktop\vovy0jYEM7.exe	Code function: 0_2_00411481 socket,bind,listen,closesocket,		0_2_00411481
Source: C:\Users\user\Desktop\vovy0jYEM7.exe	Code function: 0_2_0041172A socket,bind,closesocket,		0_2_0041172A

Screenshots

No Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

ID:	376942
Product:	CloudBasic
Start time:	03:46:23
Start date:	28.03.2021
Sample:	vovy0jYEM7
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	ac98d2d71f3a4998abe80dd6e0695fba
SHA1:	76b5d3fd16c3e761022ebd7f3f5fc34f022fcc04
SHA256:	98d33cf483b14fbdab3a470a9452bcea672da54da1131330babcbb40572719e8
Filetype:	Win32 Executable (generic) a (10002005/4) 99.94%

Analysis Report vovy0jYEM7

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map