Loading ...

Play interactive tourEdit tour

Windows Analysis Report 8XMlaeHQXZ.exe

Overview

General Information

Sample Name:8XMlaeHQXZ.exe
Analysis ID:528756
MD5:5643bf734d793e845166a228f3df83b3
SHA1:4415ad682fd64baedf5c209bc0c2a3b619cf03e2
SHA256:db79e0c2243229f8ba6a52deede597287b93801aa182af42f278542f31fb3324
Tags:exeRedLineStealer
Infos:

Most interesting Screenshot:

Detection

Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
PE file has nameless sections
Machine Learning detection for sample
Uses 32bit PE files
AV process strings found (often used to terminate AV products)
PE file does not import any functions
Sample file is different than original file name gathered from version info
One or more processes crash
PE file contains an invalid checksum
Checks if the current process is being debugged
PE file contains sections with non-standard names
Binary contains a suspicious time stamp
PE file overlay found

Classification

Process Tree

  • System is w10x64
  • 8XMlaeHQXZ.exe (PID: 5856 cmdline: "C:\Users\user\Desktop\8XMlaeHQXZ.exe" MD5: 5643BF734D793E845166A228F3DF83B3)
    • WerFault.exe (PID: 1916 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5856 -s 212 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: 8XMlaeHQXZ.exeVirustotal: Detection: 21%Perma Link
Machine Learning detection for sampleShow sources
Source: 8XMlaeHQXZ.exeJoe Sandbox ML: detected
Source: 8XMlaeHQXZ.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000003.00000003.372441520.0000000000B04000.00000004.00000001.sdmp, WerFault.exe, 00000003.00000003.373762927.0000000004BF1000.00000004.00000001.sdmp, WerFault.exe, 00000003.00000003.372358336.0000000000B1B000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000003.00000003.372382776.0000000000B0A000.00000004.00000001.sdmp, WerFault.exe, 00000003.00000003.373762927.0000000004BF1000.00000004.00000001.sdmp, WerFault.exe, 00000003.00000003.372317581.0000000000B1B000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000003.00000003.373762927.0000000004BF1000.00000004.00000001.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000003.00000003.373762927.0000000004BF1000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000003.00000003.373762927.0000000004BF1000.00000004.00000001.sdmp
Source: Amcache.hve.3.drString found in binary or memory: http://upx.sf.net

System Summary:

barindex
PE file has nameless sectionsShow sources
Source: 8XMlaeHQXZ.exeStatic PE information: section name:
Source: 8XMlaeHQXZ.exeStatic PE information: section name:
Source: 8XMlaeHQXZ.exeStatic PE information: section name:
Source: 8XMlaeHQXZ.exeStatic PE information: section name:
Source: 8XMlaeHQXZ.exeStatic PE information: section name:
Source: 8XMlaeHQXZ.exeStatic PE information: section name:
Source: 8XMlaeHQXZ.exeStatic PE information: section name:
Source: 8XMlaeHQXZ.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: 8XMlaeHQXZ.exeStatic PE information: No import functions for PE file found
Source: 8XMlaeHQXZ.exe, 00000000.00000000.368976942.0000000000426000.00000080.00020000.sdmpBinary or memory string: OriginalFilenamePantsuits.exe4 vs 8XMlaeHQXZ.exe
Source: 8XMlaeHQXZ.exe, 00000000.00000000.368976942.0000000000426000.00000080.00020000.sdmpBinary or memory string: OriginalFilenameGeForce Experience PermissionT vs 8XMlaeHQXZ.exe
Source: 8XMlaeHQXZ.exeBinary or memory string: OriginalFilenamePantsuits.exe4 vs 8XMlaeHQXZ.exe
Source: 8XMlaeHQXZ.exeBinary or memory string: OriginalFilenameGeForce Experience PermissionT vs 8XMlaeHQXZ.exe
Source: C:\Users\user\Desktop\8XMlaeHQXZ.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5856 -s 212
Source: 8XMlaeHQXZ.exeStatic PE information: Data appended to the last section found
Source: 8XMlaeHQXZ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
Source: 8XMlaeHQXZ.exeStatic PE information: Section: ZLIB complexity 1.00057768486
Source: 8XMlaeHQXZ.exeStatic PE information: Section: ZLIB complexity 1.0107421875
Source: 8XMlaeHQXZ.exeStatic PE information: Section: ZLIB complexity 1.00716145833
Source: 8XMlaeHQXZ.exeStatic PE information: Section: ZLIB complexity 1.021484375
Source: 8XMlaeHQXZ.exeStatic PE information: Section: ZLIB complexity 1.00037704324
Source: 8XMlaeHQXZ.exeVirustotal: Detection: 21%
Source: C:\Users\user\Desktop\8XMlaeHQXZ.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\8XMlaeHQXZ.exe "C:\Users\user\Desktop\8XMlaeHQXZ.exe"
Source: C:\Users\user\Desktop\8XMlaeHQXZ.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5856 -s 212
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5856
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERA26E.tmpJump to behavior
Source: classification engineClassification label: mal56.winEXE@2/6@0/0
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: 8XMlaeHQXZ.exeStatic PE information: Raw size of is bigger than: 0x100000 < 0x104c00
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000003.00000003.372441520.0000000000B04000.00000004.00000001.sdmp, WerFault.exe, 00000003.00000003.373762927.0000000004BF1000.00000004.00000001.sdmp, WerFault.exe, 00000003.00000003.372358336.0000000000B1B000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000003.00000003.372382776.0000000000B0A000.00000004.00000001.sdmp, WerFault.exe, 00000003.00000003.373762927.0000000004BF1000.00000004.00000001.sdmp, WerFault.exe, 00000003.00000003.372317581.0000000000B1B000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000003.00000003.373762927.0000000004BF1000.00000004.00000001.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000003.00000003.373762927.0000000004BF1000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000003.00000003.373762927.0000000004BF1000.00000004.00000001.sdmp
Source: 8XMlaeHQXZ.exeStatic PE information: real checksum: 0x122111 should be: 0x3a656
Source: 8XMlaeHQXZ.exeStatic PE information: section name:
Source: 8XMlaeHQXZ.exeStatic PE information: section name:
Source: 8XMlaeHQXZ.exeStatic PE information: section name:
Source: 8XMlaeHQXZ.exeStatic PE information: section name:
Source: 8XMlaeHQXZ.exeStatic PE information: section name:
Source: 8XMlaeHQXZ.exeStatic PE information: section name:
Source: 8XMlaeHQXZ.exeStatic PE information: section name:
Source: 8XMlaeHQXZ.exeStatic PE information: section name: .m8o02uE
Source: 8XMlaeHQXZ.exeStatic PE information: section name: .adata
Source: 8XMlaeHQXZ.exeStatic PE information: 0xFBDADAB2 [Sun Nov 25 08:54:10 2103 UTC]
Source: initial sampleStatic PE information: section name: entropy: 7.99485148323
Source: initial sampleStatic PE information: section name: entropy: 7.80837604511
Source: initial sampleStatic PE information: section name: entropy: 7.87119921588
Source: initial sampleStatic PE information: section name: entropy: 7.59715435366
Source: initial sampleStatic PE information: section name: entropy: 7.99861729183
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: Amcache.hve.3.drBinary or memory string: VMware
Source: Amcache.hve.3.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.3.drBinary or memory string: VMware-42 35 34 13 2a 07 0a 9c-ee 7f dd c3 60 c7 b9 af
Source: Amcache.hve.3.drBinary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.3.drBinary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.drBinary or memory string: VMware, Inc.
Source: WerFault.exe, 00000003.00000003.383855971.0000000000B12000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllo
Source: Amcache.hve.3.drBinary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.3.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.drBinary or memory string: VMware7,1
Source: Amcache.hve.3.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.3.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1x
Source: Amcache.hve.3.drBinary or memory string: VMware, Inc.me
Source: Amcache.hve.3.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.3.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: C:\Users\user\Desktop\8XMlaeHQXZ.exeProcess queried: DebugPortJump to behavior
Source: Amcache.hve.3.drBinary or memory string: c:\program files\windows defender\msmpeng.exe

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Virtualization/Sandbox Evasion1OS Credential DumpingSecurity Software Discovery21Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsSoftware Packing2LSASS MemoryVirtualization/Sandbox Evasion1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection1Security Account ManagerSystem Information Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Timestomp1NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information1LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.