Loading ...

Play interactive tourEdit tour

Windows Analysis Report FACTURA.exe

Overview

General Information

Sample Name:FACTURA.exe
Analysis ID:1568
MD5:740463ed3266f7aee8331978f50c731c
SHA1:a9310948476693d72be937f23e1b53b3607bf92f
SHA256:fa9e12a03b909482d5bacd2d7ab1a8d672528bfcf43402c04b6d3a30702b0c4d
Infos:

Most interesting Screenshot:

Detection

RemCom RemoteAdmin Mimikatz HawkEye Imminent Remcos AESCRYPT Ransomware Annabelle
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected PasteDownloader
Yara detected LaZagne password dumper
Yara detected Metasploit Payload
Yara detected LazParking Ransomware
Yara detected Neshta
Detected Hacktool Mimikatz
Yara detected Discord Token Stealer
Yara detected MailPassView
Yara detected BlackMoon Ransomware
Yara detected Snake Keylogger
Yara detected Parallax RAT
Yara detected Zeppelin Ransomware
Yara detected Ragnarok ransomware
Yara detected Apis Ransomware
Yara detected Wannacry ransomware
Yara detected MegaCortex Ransomware
Yara detected Valak
Yara detected AntiVM3
Yara detected Cobra Locker ransomware
Yara detected RekenSom ransomware
Yara detected Avaddon Ransomware
Yara detected Babuk Ransomware
Yara detected Nemty Ransomware
Yara detected NetWire RAT
Yara detected Linux EvilGnome RC5 key
Yara detected Mini RAT
Yara detected BLACKMatter Ransomware
Yara detected Clay Ransomware
Yara detected Thanos ransomware
Yara detected Koadic
Yara detected Jigsaw
Yara detected CryLock ransomware
Yara detected Pony
Yara detected Sapphire Ransomware
Yara detected OCT Ransomware
Yara detected Snatch Ransomware
Yara detected VBKeyloggerGeneric
Antivirus detection for URL or domain
Yara detected AESCRYPT Ransomware
Yara detected RansomwareGeneric
Yara detected Silvertor Ransomware
Yara detected Coinhive miner
Yara detected Ouroboros ransomware
Yara detected Annabelle Ransomware
Yara detected Gocoder ransomware
Detected Imminent RAT
Yara detected LimeRAT
Yara detected BitCoin Miner
Yara detected WannaRen ransomware
Yara detected GuLoader
Yara detected Chaos Ransomware
Yara detected Hancitor
Found malware configuration
Yara detected Mock Ransomware
Yara detected Conti ransomware
Yara detected Generic Dropper
Yara detected NoCry Ransomware
Yara detected ByteLocker Ransomware
Yara detected RegretLocker Ransomware
Yara detected Meterpreter
Yara detected Clop Ransomware
Yara detected Ryuk ransomware
Yara detected Xmrig cryptocurrency miner
Yara detected Porn Ransomware
Yara detected LockBit ransomware
Yara detected DarkSide Ransomware
Yara detected LOCKFILE ransomware
Malicious sample detected (through community Yara rule)
Yara detected Cerber ransomware
Yara detected HiddenTear ransomware
Yara detected Telegram RAT
Yara detected Rhino ransomware
Yara detected Mailto ransomware
Yara detected CoronaCrypt Ransomware
Yara detected Voidcrypt Ransomware
Yara detected Njrat
Yara detected Buran Ransomware
Yara detected GoGoogle ransomware
Yara detected VHD ransomware
Yara detected generic Shellcode Injector
Yara detected Axiom Ransomware
Yara detected Artemon Ransomware
Yara detected Netwalker ransomware
Yara detected Vidar stealer
Yara detected Jcrypt Ransomware
Yara detected Covid19 Ransomware
Yara detected UACMe UAC Bypass tool
Yara detected Delta Ransomware
Yara detected Predator
Yara detected Mimikatz
Detected HawkEye Rat
Yara detected AveMaria stealer
Yara detected Nukesped
Yara detected LokiLocker Ransomware
Detected Remcos RAT
Yara detected Cryptolocker ransomware
Yara detected Marvel Ransomware
Multi AV Scanner detection for domain / URL
Yara detected Codoso Ghost
Yara detected Cute Ransomware
Yara detected Growtopia
Yara detected Xorist ransomware
Yara detected Windows Security Disabler
Yara detected Dorkbot
Yara detected RevengeRAT
Contains VNC / remote desktop functionality (version string found)
Found strings related to Crypto-Mining
Found Tor onion address
Yara detected MaliciousMacro
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
Sample is not signed and drops a device driver
May modify the system service descriptor table (often done to hook functions)
Yara detected AllatoriJARObfuscator
Found many strings related to Crypto-Wallets (likely being stolen)
Found potential ransomware demand text
Found string related to ransomware
Yara detected MSILLoadEncryptedAssembly
Yara detected VB6 Downloader Generic
Contains functionality to hide user accounts
Yara detected BatToExe compiled binary
May drop file containing decryption instructions (likely related to ransomware)
Binary or sample is protected by dotNetProtector
May enable test signing (to load unsigned drivers)
Deletes shadow drive data (may be related to ransomware)
Yara detected Autohotkey Downloader Generic
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Sample execution stops while process was sleeping (likely an evasion)
Drops files with a non-matching file extension (content does not match file extension)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Drops PE files to the windows directory (C:\Windows)
Creates driver files
Binary contains a suspicious time stamp
May initialize a security null descriptor
Yara detected Keylogger Generic
Uses 32bit PE files
Yara signature match
Deletes files inside the Windows folder
Contains functionality to query the security center for anti-virus and firewall products
Creates files inside the system directory
May infect USB drives
PE file contains sections with non-standard names
Yara detected Credential Stealer
Found dropped PE file which has not been started or loaded
Yara detected RemCom RemoteAdmin tool
PE file contains executable resources (Code or Archives)
Creates a DirectInput object (often for capturing keystrokes)
AV process strings found (often used to terminate AV products)
PE file does not import any functions
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Contains strings related to BOT control commands
Enables security privileges
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Yara detected Winexe tool

Classification

Process Tree

  • System is w10x64native
  • FACTURA.exe (PID: 7040 cmdline: 'C:\Users\user\Desktop\FACTURA.exe' MD5: 740463ED3266F7AEE8331978F50C731C)
    • WerFault.exe (PID: 8016 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7040 -s 848 MD5: 40A149513D721F096DDF50C04DA2F01F)
    • WerFault.exe (PID: 2516 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7040 -s 856 MD5: 40A149513D721F096DDF50C04DA2F01F)
  • UserOOBEBroker.exe (PID: 2888 cmdline: C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding MD5: BCE744909EB87F293A85830D02B3D6EB)
  • mpam-5e107659.exe (PID: 6940 cmdline: 'C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-5e107659.exe' /q WD MD5: 58454E5B478373BF68420AE5D49380D4)
    • MpSigStub.exe (PID: 5556 cmdline: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe /stub 1.1.18500.10 /payload 1.351.16.0 /program C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-5e107659.exe /q WD MD5: 01F92DC7A766FF783AE7AF40FD0334FB)
  • wevtutil.exe (PID: 4104 cmdline: C:\Windows\system32\wevtutil.exe uninstall-manifest C:\Windows\TEMP\3A24BB4C-F6EB-A1AC-C6CC-E780FED56A57.man MD5: C57C1292650B6384903FE6408D412CFA)
    • conhost.exe (PID: 1412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • wevtutil.exe (PID: 6840 cmdline: C:\Windows\system32\wevtutil.exe install-manifest C:\Windows\TEMP\3A24BB4C-F6EB-A1AC-C6CC-E780FED56A57.man '/resourceFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll' '/messageFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll' '/parameterFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll' MD5: C57C1292650B6384903FE6408D412CFA)
    • conhost.exe (PID: 2644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • mpam-fad3e9a8.exe (PID: 1248 cmdline: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-fad3e9a8.exe MD5: 34B7B3BDFA61E18D3B2C3B0AC92B78EF)
  • cleanup

Malware Configuration

Threatname: Metasploit

{"Type": "Execute Command", "Command": "\u0001"}

Threatname: CryLock

{"Extensions": "%d str_charcodeat DosDateTimeToFileTime() failed, err = %d str_tolowercase String.prototype.toLowerCase() is not a constructor const pea_calls_unimplemented_api  Intel(R) Core(TM)2 CPU         T7200  @ 2.00GHz(MSI Stream %d)(Ole Stream %d)0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz._SSF:ScanAllStreamselement.getElementsByTagName() called on non-DOM objectcryptoMpCommon(Message.%zu: %hs - %hs)(Message.%zu)No subject%lld"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000024.00000003.6293943264.00000197A31B6000.00000004.00000001.sdmpJoeSecurity_Allatori_JAR_ObfuscatorYara detected Allatori_JAR_ObfuscatorJoe Security
    00000024.00000003.6348926620.00000197A3621000.00000004.00000001.sdmpTofu_BackdoorDetects Tofu TrojanCylance
    • 0x2f5af:$a: Cookies: Sym1.0
    • 0x2f550:$c: 66 0F FC C1 0F 11 40 D0 0F 10 40 D0 66 0F EF C2 0F 11 40 D0 0F 10 40 E0
    00000024.00000003.6316460209.00000197A40AB000.00000004.00000001.sdmpZxShell_Jul17Detects a ZxShell - CN threat groupFlorian Roth
    • 0xf57f:$x1: zxplug -add
    • 0xf58b:$x2: getxxx c:\xyz.dll
    00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmpJoeSecurity_CoinhiveYara detected Coinhive minerJoe Security
      00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmpwebshell_php_by_string_obfuscationPHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimmingArnim Rupp
      • 0xd5e:$opbs48: se'.(32*2)
      • 0x179f:$php_short: <?
      • 0x184cc:$php_short: <?
      • 0x179f:$php_new2: <?php