Loading... Additional Content is being loaded
Windows Analysis Report Xjf4yH9N2t.exe
Overview
General Information
| Sample Name: | Xjf4yH9N2t.exe |
| Analysis ID: | 457791 |
| MD5: | 2318b60075e442cb6141535e268e4df0 |
| SHA1: | 6d2e6e0bfdb0e649e0079533ecdbe302ff9dc8b5 |
| SHA256: | cdbe67339a29bfe3066a18b4e68e9b19e28e449ab21ce23a85ed15e04c5255df |
| Tags: | AveMariaRATexeRAT |
| Infos: | |
|
Most interesting Screenshot:  |
|
Detection
Nanocore AveMaria
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Detected Nanocore Rat
Detected unpacking (creates a PE file in dynamic memory)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AveMaria stealer
Yara detected Nanocore RAT
Allocates memory in foreign processes
Connects to many ports of the same IP (likely port scanning)
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides user accounts
Increases the number of concurrent connection per server for Internet Explorer
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to harvest and steal browser information (history, passwords, etc)
Uses dynamic DNS services
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to create new users
Contains functionality to download and execute PE files
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates or modifies windows services
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Direct Autorun Keys Modification
Spawns drivers
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Yara detected Credential Stealer
Yara signature match
Classification
AV Detection: |
  |
|---|
| Antivirus detection for URL or domain |
| Source: |
Avira URL Cloud: |
||
| Multi AV Scanner detection for domain / URL |
| Source: |
Virustotal: |
Perma Link | ||
| Multi AV Scanner detection for dropped file |
| Source: |
ReversingLabs: |
|||
| Source: |
Metadefender: |
Perma Link | ||
| Source: |
ReversingLabs: |
|||
| Source: |
ReversingLabs: |
|||
| Source: |
ReversingLabs: |
|||
| Source: |
ReversingLabs: |
|||
| Yara detected AveMaria stealer |
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Yara detected Nanocore RAT |
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Machine Learning detection for dropped file |
| Source: |
Joe Sandbox ML: |
||
| Source: |
Joe Sandbox ML: |
||
| Source: |
Joe Sandbox ML: |
||
| Source: |
Joe Sandbox ML: |
||
| Machine Learning detection for sample |
| Source: |
Joe Sandbox ML: |
||
| Antivirus or Machine Learning detection for unpacked file |
| Source: |
Avira: |
||
| Source: |
Avira: |
||
| Source: |
Avira: |
||
| Source: |
Avira: |
||
| Source: |
Avira: |
||
Cryptography: |
|
|---|
| Uses Microsoft's Enhanced Cryptographic Provider |
| Source: |
Code function: |
7_2_0040A8C3 | |
| Source: |
Code function: |
7_2_0040C261 | |
| Source: |
Code function: |
7_2_0040C3B9 | |
| Source: |
Code function: |
7_2_0040C419 | |
| Source: |
Code function: |
7_2_00409D97 | |
| Source: |
Code function: |
7_2_0040C6BD | |
Compliance: |
|
|---|
| Detected unpacking (creates a PE file in dynamic memory) |
| Source: |
Unpacked PE file: |
||
| Uses 32bit PE files |
| Source: |
Static PE information: |
||
| Source: |
Directory created: |
Jump to behavior | ||
| Source: |
Directory created: |
Jump to behavior | ||
| Source: |
Directory created: |
Jump to behavior | ||
| Source: |
Static PE information: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
| Source: |
Code function: |
7_2_00411446 | |
| Source: |
Code function: |
7_2_0040955B | |
| Source: |
Code function: |
7_2_0041154A | |
Software Vulnerabilities: |
|
|---|
| Found inlined nop instructions (likely shell or obfuscated code) |
| Source: |
Code function: |
40_2_06CD3620 | |
Networking: |
|
|---|
| Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) |
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Connects to many ports of the same IP (likely port scanning) |
| Source: |
TCP traffic: |
||
| Uses dynamic DNS services |
| Source: |
DNS query: |
||
| Contains functionality to download and execute PE files |
| Source: |
Code function: |
7_2_0040290E | |
| Detected TCP or UDP traffic on non-standard ports |
| Source: |
TCP traffic: |
||
| Downloads executable code via HTTP |
| Source: |
HTTP traffic detected: | ||