Loading ...

Play interactive tourEdit tour

Analysis Report GZe6EcSTpO


General Information

Sample Name:GZe6EcSTpO (renamed file extension from none to exe)
Analysis ID:380813

Most interesting Screenshot:


Mimikatz HawkEye Nanocore xRAT CobaltStrike Codoso Ghost Coinhive Crypto Miner GhostRat Mini RAT Mirai Nukesped PupyRAT Quasar RevengeRAT ComRAT UACMe WebMonitor RAT Xmrig Xtreme RAT
Range:0 - 100


Antivirus / Scanner detection for submitted sample
Detected Hacktool Mimikatz
Detected HawkEye Rat
Detected Nanocore Rat
Detected xRAT
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected CobaltStrike
Yara detected Codoso Ghost
Yara detected Coinhive miner
Yara detected Crypto Miner
Yara detected GhostRat
Yara detected Mimikatz
Yara detected Mini RAT
Yara detected Mirai
Yara detected Nukesped
Yara detected Powershell download and execute
Yara detected PupyRAT
Yara detected Quasar RAT
Yara detected RevengeRAT
Yara detected Turla ComRAT XORKey
Yara detected UACMe UAC Bypass tool
Yara detected WebMonitor RAT
Yara detected Xmrig cryptocurrency miner
Yara detected Xtreme RAT
Deletes itself after installation
Found Tor onion address
Found strings related to Crypto-Mining
Modifies existing user documents (likely ransomware behavior)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes a notice file (html or txt) to demand a ransom
Abnormal high CPU Usage
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match



  • System is w10x64
  • GZe6EcSTpO.exe (PID: 5884 cmdline: 'C:\Users\user\Desktop\GZe6EcSTpO.exe' MD5: 87E0355C098D2DFD890AE4C9DA26BBDD)
    • vnwareupdate.exe (PID: 2540 cmdline: 'C:\Users\user\Desktop\vnwareupdate.exe' -r tNdLZso+RbiqYzcNMmDUvJn8W3VMjDSxgB461SVTbrzMmtabvNhkHuZIvNduUGjO7UzqsUnmuPq7GKNjbUUEmbjXWxezy7xJ04G+icWNgQLiwxU/H/LMW24G/9O1+8K4oWZz+411UOx9sxEV6gpox/NT3jtp1cMUSmDDWI3Abi8XrFiOXG8AgMkOFBVNgdv0d+Dha+cRprvunFNJBh/+mVDp1EkdsXXU0eMQcUpns8p6kdiZ4rFZD4y5oVgqOEZ9Po4Z4HgwiHmPwR8ajszuHS68AdaUj0pH0IEHv2mNV71t2soPIKLuE6vIlqTHadsqd5m4qTWlE5yUZYw6YMMgmll72lf1E232p9MVl4yhetYBzNx+sWPE+DpILBlSmddPucuORCpaLa5yzRa7ZbJ98jQfjCVZUbyNMn5Vxk30OIGoBOyrsN0VmKcdDsRZxUCHQhupf0BXrgN7wh46haut8zZzv6puQEmuGL/8u2wQFQEd9pNBJ0Rlv3QP/bjyE945wMYCc6Xz4QLd03mLiDwTqcCYAP/KGG8Yhr3pv/YbSaeW0WUI4zwTjoJArSp8wQL4F7Eb5XLV6Id8VVowmbmosktt/RQUrLvThJExvG5SvJP/mUR4/fnp2sNhMJrQ0VYv8PabCT5DFqxapVfyOG02/QYIIhU= MD5: FA8AFFACE280644885152DE7CD3234EE)
      • vnwareupdate.exe (PID: 4456 cmdline: 'C:\Users\user\Desktop\vnwareupdate.exe' '--multiprocessing-fork' '1092' MD5: FA8AFFACE280644885152DE7CD3234EE)
      • vnwareupdate.exe (PID: 6352 cmdline: 'C:\Users\user\Desktop\vnwareupdate.exe' '--multiprocessing-fork' '1136' MD5: FA8AFFACE280644885152DE7CD3234EE)
      • vnwareupdate.exe (PID: 6404 cmdline: 'C:\Users\user\Desktop\vnwareupdate.exe' '--multiprocessing-fork' '1244' MD5: FA8AFFACE280644885152DE7CD3234EE)
      • vnwareupdate.exe (PID: 6432 cmdline: 'C:\Users\user\Desktop\vnwareupdate.exe' '--multiprocessing-fork' '1236' MD5: FA8AFFACE280644885152DE7CD3234EE)
      • vnwareupdate.exe (PID: 7044 cmdline: 'C:\Users\user\Desktop\vnwareupdate.exe' '--multiprocessing-fork' '1256' MD5: FA8AFFACE280644885152DE7CD3234EE)
      • vnwareupdate.exe (PID: 5432 cmdline: 'C:\Users\user\Desktop\vnwareupdate.exe' '--multiprocessing-fork' '1300' MD5: FA8AFFACE280644885152DE7CD3234EE)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

C:\Users\user\Desktop\keywords.txtHacktool_Strings_p0wnedShellp0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.csFlorian Roth
  • 0x2b9:$x7: Invoke-Mimikatz
C:\Users\user\Desktop\c2-iocs.txtAPT10_Malware_Sample_GenAPT 10 / Cloud Hopper malware campaignFlorian Roth
  • 0x2e85:$c2_1: 002562066559681.r3u8.com
  • 0x2ec5:$c2_2: 031168053846049.r3u8.com
  • 0x2f05:$c2_3: 0625.have8000.com
  • 0x2f3e:$c2_4: 1.gadskysun.com
  • 0xc729:$c2_5: 100fanwen.com
  • 0xd075:$c2_5: 100fanwen.com
  • 0x2f75:$c2_6: 11.usyahooapis.com
  • 0x2faf:$c2_7: 19518473326.r3u8.com
  • 0x2feb:$c2_8: 1960445709311199.r3u8.com
  • 0x302c:$c2_9: 1j.www1.biz
  • 0x305f:$c2_10: 1z.itsaol.com
  • 0x9d1f:$c2_11: 2012yearleft.com
  • 0xc87f:$c2_11: 2012yearleft.com
  • 0xfaaa:$c2_11: 2012yearleft.com
  • 0x3094:$c2_12: 2014.zzux.com
  • 0x647d:$c2_12: 2014.zzux.com
  • 0x11606:$c2_12: 2014.zzux.com
  • 0x30c9:$c2_13: 202017845.r3u8.com
  • 0x3103:$c2_14: 2139465544784.r3u8.com
  • 0x3141:$c2_15: 2789203959848958.r3u8.com
  • 0x31f2:$c2_16: 5590428449750026.r3u8.com
C:\Users\user\Desktop\c2-iocs.txtAPT_DeputyDog_FexelunknownThreatConnect Intelligence Research Team
  • 0x386:$180:
C:\Users\user\Desktop\filename-iocs.txtFVEY_ShadowBroker_Auct_Dez16_StringsString from the ShodowBroker Files Screenshots - Dec 2016Florian Roth
  • 0x9750:$s11: elatedmonkey
  • 0x979a:$s13: endlessdonut
  • 0x9622:$elf1: catflap
  • 0x9630:$elf1: catflap
  • 0x964f:$elf2: charm_penguin
  • 0x9662:$elf3: charm_hammer
  • 0x96d2:$elf5: dampcrowd
  • 0x9730:$elf8: ebbshave
  • 0x9740:$elf9: eggbasket
  • 0x9777:$elf10: toffeehammer
  • 0x97ac:$elf11: enemyrun
  • 0x97d2:$elf12: envoytomato
  • 0x97e3:$elf13: expoxyresin
  • 0x9803:$elf14: estopmoonlit
  • 0x98a8:$elf17: ghost_sparc
  • 0x98c8:$elf18: jackpop
  • 0x98fa:$elf19: orleans_stride
  • 0x9933:$elf21: seconddate
  • 0x9943:$elf23: skimcountry
  • 0x9954:$elf24: slyheretic
  • 0x9964:$elf25: stoicsurgeon
C:\Users\user\Desktop\hash-iocs.txtEquationDrug_HDDSSD_OpEquationDrug - HDD/SSD firmware operation - nls_933w.dllFlorian Roth @4nc4p
  • 0x10fca:$s0: nls_933w.dll
  • 0x11045:$s0: nls_933w.dll
Click to see the 2 entries

Memory Dumps

0000000A.00000003.323793714.00000000050C1000.00000004.00000001.sdmpAmplia_Security_ToolAmplia Security Toolunknown
  • 0x9d0:$a: Amplia Security
0000000A.00000003.323793714.00000000050C1000.00000004.00000001.sdmpwebshell_r57shell127_r57_iFX_r57_kartal_r57_antichatWeb Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.phpFlorian Roth
  • 0xbf8:$s8: if(!empty($_POST['dif'])&&$fp) { @fputs($fp,$sql1.$sql2); }
  • 0xd38:$s9: foreach($values as $k=>$v) {$values[$k] = addslashes($v);}
0000000A.00000003.323793714.00000000050C1000.00000004.00000001.sdmpSafe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_phpSemi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txtNeo23x0 Yara BRG + customization by Stefan -dfate- Molls
  • 0xe79:$s0: Safe0ver
0000000A.00000003.321850832.00000000068D1000.00000004.00000001.sdmpAmplia_Security_ToolAmplia Security Toolunknown
  • 0x191d0:$a: Amplia Security
  • 0x19180:$c: getlsasrvaddr.exe
  • 0x26140:$d: Cannot get PID of LSASS.EXE
  • 0x262c0:$e: extract the TGT session key
0000000A.00000003.321850832.00000000068D1000.00000004.00000001.sdmpSQLMapThis signature detects the SQLMap SQL injection toolFlorian Roth
  • 0x2a6c8:$s1: except SqlmapBaseException, ex: