Windows Analysis Report gmAszjZqKD.exe
Overview
General Information
Sample Name: | gmAszjZqKD.exe |
Analysis ID: | 435329 |
MD5: | a8fcf9f01f6ac912a38cb17e59eb1ed0 |
SHA1: | 40072436d5bd265261bcf0bfd5cfbb046e70a97a |
SHA256: | 9d56ad7e390d35d3fcf2bc03ac7b38e5efeee12e8bbc2917a375e6cf8c65d69f |
Tags: | AveMariaRATexeRAT |
Infos: | |
Errors
|
Detection
Score: | 88 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
Initial Sample |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | Florian Roth |
| |
Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth |
| |
MAL_Envrial_Jan18_1 | Detects Encrial credential stealer malware | Florian Roth |
| |
JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
Click to see the 2 entries |
Sigma Overview |
---|
No Sigma rule has matched |
---|
Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Antivirus / Scanner detection for submitted sample | Show sources |
Source: | Avira: |
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Yara detected AveMaria stealer | Show sources |
Source: | File source: |
Machine Learning detection for sample | Show sources |
Source: | Joe Sandbox ML: |
Exploits: |
---|
Yara detected UACMe UAC Bypass tool | Show sources |
Source: | File source: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | String found in binary or memory: |
Source: | Binary or memory string: |
E-Banking Fraud: |
---|
Yara detected AveMaria stealer | Show sources |
Source: | File source: |
System Summary: |
---|
Malicious sample detected (through community Yara rule) | Show sources |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Classification label: |
Source: | Static PE information: |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | Static PE information: |
Source: | Static PE information: |
Hooking and other Techniques for Hiding and Protection: |
---|
Contains functionality to hide user accounts | Show sources |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Stealing of Sensitive Information: |
---|
Yara detected AveMaria stealer | Show sources |
Source: | File source: |
Source: | File source: |
Remote Access Functionality: |
---|
Yara detected AveMaria stealer | Show sources |
Source: | File source: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation | Path Interception | Path Interception | Hidden Users1 | Input Capture11 | System Service Discovery | Remote Services | Input Capture11 | Exfiltration Over Other Network Medium | Data Obfuscation | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Behavior Graph |
---|
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
72% | Virustotal | Browse | ||
90% | ReversingLabs | Win32.Backdoor.Remcos | ||
100% | Avira | TR/Redcap.ghjpt | ||
100% | Joe Sandbox ML |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
No Antivirus matches |
---|
Domains and IPs |
---|
Contacted Domains |
---|
No contacted domains info |
---|
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high |
Contacted IPs |
---|
No contacted IP infos |
---|
General Information |
---|
Joe Sandbox Version: | 32.0.0 Black Diamond |
Analysis ID: | 435329 |
Start date: | 16.06.2021 |
Start time: | 12:28:08 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 2m 6s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | gmAszjZqKD.exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 3 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal88.troj.expl.winEXE@0/0@0/0 |
Cookbook Comments: |
|
Warnings: | Show All
|
Errors: |
|
Simulations |
---|
Behavior and APIs |
---|
No simulations |
---|
Joe Sandbox View / Context |
---|
Created / dropped Files |
---|
No created / dropped files found |
---|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 6.3223585086508205 |
TrID: |
|
File name: | gmAszjZqKD.exe |
File size: | 112035 |
MD5: | a8fcf9f01f6ac912a38cb17e59eb1ed0 |
SHA1: | 40072436d5bd265261bcf0bfd5cfbb046e70a97a |
SHA256: | 9d56ad7e390d35d3fcf2bc03ac7b38e5efeee12e8bbc2917a375e6cf8c65d69f |
SHA512: | e59eb3818a70cb1fbf3b0463622faec08320109d1791aaf7c7052ecd1dfec3ed1c7e645aa54f02f773367989b2f6031e8b1962fd548ff7ef00e8e4475d26005d |
SSDEEP: | 1536:h0jP7/L1B5rVmN8sxHv2M28ix8EUaJxWZoB4u0OVE013:K1VmhaH8EFvW+0OVE0h |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z]..><..><..><...3..?<..7D..?<...3..<<......?<......=<..;0..?<..7D..:<..7D..!<..><...<...U..N<...Um.?<...U..?<..Rich><......... |
File Icon |
---|
Icon Hash: | 00828e8e8686b000 |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x405ce2 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE |
DLL Characteristics: | NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Time Stamp: | 0x5F49FB9C [Sat Aug 29 06:54:20 2020 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 5 |
OS Version Minor: | 1 |
File Version Major: | 5 |
File Version Minor: | 1 |
Subsystem Version Major: | 5 |
Subsystem Version Minor: | 1 |
Import Hash: | 51a1d638436da72d7fa5fb524e02d427 |
Entrypoint Preview |
---|
Instruction |
---|
push ebp |
mov ebp, esp |
sub esp, 44h |
push esi |
call dword ptr [004141E8h] |
mov ecx, eax |
mov al, byte ptr [ecx] |
cmp al, 22h |
jne 00007F9C8096790Ah |
inc ecx |
mov dl, byte ptr [ecx] |
test dl, dl |
je 00007F9C809678F3h |
mov al, dl |
mov dl, al |
cmp al, 22h |
je 00007F9C809678EBh |
inc ecx |
mov dl, byte ptr [ecx] |
mov al, dl |
test dl, dl |
jne 00007F9C809678D3h |
lea eax, dword ptr [ecx+01h] |
cmp dl, 00000022h |
cmovne eax, ecx |
mov ecx, eax |
jmp 00007F9C809678F0h |
inc ecx |
mov al, byte ptr [ecx] |
cmp al, 20h |
jnle 00007F9C809678DBh |
jmp 00007F9C809678E9h |
cmp al, 20h |
jnle 00007F9C809678E9h |
inc ecx |
mov al, byte ptr [ecx] |
test al, al |
jne 00007F9C809678D7h |
and dword ptr [ebp-18h], 00000000h |
lea eax, dword ptr [ebp-44h] |
push eax |
call dword ptr [00414140h] |
call 00007F9C80967912h |
mov edx, 0041902Ch |
mov ecx, 00419000h |
call 00007F9C80967930h |
push 00000000h |
call dword ptr [004141ECh] |
push ecx |
push ecx |
call 00007F9C80974FB9h |
mov esi, eax |
call 00007F9C80967902h |
push esi |
call dword ptr [004141F0h] |
int3 |
mov dword ptr [0054DB64h], 00000020h |
call 00007F9C809677F4h |
mov dword ptr [0054D0E4h], eax |
ret |
mov eax, dword ptr [0054E01Ch] |
test eax, eax |
je 00007F9C809678F0h |
mov ecx, dword ptr [0054D0E4h] |
lea edx, dword ptr [ecx+eax*4] |
jmp 00007F9C809678E6h |
ret |
push ebx |
push esi |
push edi |
mov edi, ecx |
mov esi, edx |
sub esi, edi |
xor eax, eax |
add esi, 00000000h |
Rich Headers |
---|
Programming Language: |
|
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x1771c | 0x118 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x14f000 | 0x2c70 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x152000 | 0xfa8 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x175a0 | 0x1c | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x14000 | 0x370 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x12eab | 0x13000 | False | 0.574822676809 | data | 6.49494739154 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.rdata | 0x14000 | 0x49ce | 0x4a00 | False | 0.404666385135 | data | 5.28154165346 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x19000 | 0x1350d8 | 0x600 | False | 0.570963541667 | data | 4.99296329391 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.rsrc | 0x14f000 | 0x2c70 | 0x2e00 | False | 0.327785326087 | data | 3.95871566709 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x152000 | 0xfa8 | 0x1000 | False | 0.926960257787 | data | 6.58382237931 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
.bss | 0x153000 | 0x1000 | 0x200 | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Resources |
---|
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
WM_DSP | 0x14f070 | 0x2c00 | PE32 executable (GUI) Intel 80386, for MS Windows | English | India |
Imports |
---|
DLL | Import |
---|---|
bcrypt.dll | BCryptSetProperty, BCryptGenerateSymmetricKey, BCryptOpenAlgorithmProvider, BCryptDecrypt |
KERNEL32.dll | HeapFree, VirtualAlloc, HeapReAlloc, VirtualQuery, TerminateThread, CreateThread, WriteProcessMemory, GetCurrentProcess, OpenProcess, GetWindowsDirectoryA, VirtualProtectEx, VirtualAllocEx, CreateRemoteThread, CreateProcessA, GetModuleHandleW, IsWow64Process, WriteFile, CreateFileW, LoadLibraryW, GetLocalTime, GetCurrentThreadId, GetCurrentProcessId, ReadFile, FindFirstFileA, GetBinaryTypeW, FindNextFileA, GetFullPathNameA, GetTempPathW, GetPrivateProfileStringW, CreateFileA, GlobalAlloc, GetCurrentDirectoryW, SetCurrentDirectoryW, GetFileSize, FreeLibrary, SetDllDirectoryW, GetFileSizeEx, LoadLibraryA, LocalFree, WaitForSingleObject, WaitForMultipleObjects, CreatePipe, PeekNamedPipe, DuplicateHandle, SetEvent, GetStartupInfoA, CreateEventA, GetModuleFileNameW, LoadResource, FindResourceW, GetComputerNameW, GlobalMemoryStatusEx, LoadLibraryExW, FindFirstFileW, FindNextFileW, SetFilePointer, GetLogicalDriveStringsW, DeleteFileW, CopyFileW, GetDriveTypeW, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, DeleteCriticalSection, GetProcessHeap, ReleaseMutex, TerminateProcess, CreateToolhelp32Snapshot, Process32NextW, Process32FirstW, SizeofResource, VirtualProtect, GetSystemDirectoryW, LockResource, GetWindowsDirectoryW, Process32First, Process32Next, WinExec, GetTempPathA, HeapAlloc, lstrcmpW, GetTickCount, lstrcpyW, WideCharToMultiByte, lstrcpyA, Sleep, MultiByteToWideChar, GetCommandLineA, GetModuleHandleA, ExitProcess, CreateProcessW, lstrcatA, lstrcmpA, lstrlenA, ExpandEnvironmentStringsW, lstrlenW, CloseHandle, lstrcatW, GetLastError, VirtualFree, GetProcAddress, SetLastError, GetModuleFileNameA, CreateDirectoryW, LocalAlloc, CreateMutexA |
USER32.dll | GetKeyState, GetMessageA, DispatchMessageA, CreateWindowExW, CallNextHookEx, GetAsyncKeyState, RegisterClassW, GetRawInputData, MapVirtualKeyA, DefWindowProcA, RegisterRawInputDevices, TranslateMessage, GetForegroundWindow, GetKeyNameTextW, PostQuitMessage, MessageBoxA, GetLastInputInfo, wsprintfW, GetWindowTextW, wsprintfA, ToUnicode |
ADVAPI32.dll | RegDeleteKeyW, RegCreateKeyExW, RegSetValueExA, RegDeleteValueW, LookupPrivilegeValueW, AdjustTokenPrivileges, AllocateAndInitializeSid, OpenProcessToken, InitializeSecurityDescriptor, RegDeleteKeyA, SetSecurityDescriptorDacl, RegOpenKeyExW, RegOpenKeyExA, RegEnumKeyExW, RegQueryValueExA, RegQueryInfoKeyW, RegCloseKey, OpenServiceW, ChangeServiceConfigW, QueryServiceConfigW, EnumServicesStatusExW, StartServiceW, RegSetValueExW, RegCreateKeyExA, OpenSCManagerW, CloseServiceHandle, GetTokenInformation, LookupAccountSidW, FreeSid, RegQueryValueExW |
SHELL32.dll | ShellExecuteExA, ShellExecuteExW, SHGetSpecialFolderPathW, SHCreateDirectoryExW, ShellExecuteW, SHGetFolderPathW, SHGetKnownFolderPath |
urlmon.dll | URLDownloadToFileW |
WS2_32.dll | htons, recv, connect, socket, send, WSAStartup, shutdown, closesocket, WSACleanup, InetNtopW, gethostbyname, inet_addr, getaddrinfo, setsockopt, freeaddrinfo |
ole32.dll | CoInitializeSecurity, CoCreateInstance, CoInitialize, CoUninitialize, CoTaskMemFree |
SHLWAPI.dll | StrStrW, PathRemoveFileSpecA, StrStrA, PathCombineA, PathFindFileNameW, PathFileExistsW, PathFindExtensionW |
NETAPI32.dll | NetLocalGroupAddMembers, NetUserAdd |
OLEAUT32.dll | VariantInit |
CRYPT32.dll | CryptUnprotectData, CryptStringToBinaryA, CryptStringToBinaryW |
PSAPI.DLL | GetModuleFileNameExW |
Possible Origin |
---|
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | India |
Network Behavior |
---|
No network behavior found |
---|
Code Manipulations |
---|
Statistics |
---|
System Behavior |
---|
Disassembly |
---|