Loading ...

Play interactive tourEdit tour

Windows Analysis Report SW0P9o9ksjpBsnr.exe

Overview

General Information

Sample Name:SW0P9o9ksjpBsnr.exe
Analysis ID:547727
MD5:27f2a9688ec34fc8aa3b0fee4757dd71
SHA1:9464f6bea3222c5598ecd9d29a8bc68c0998f926
SHA256:5733ad0577f5b8fc7e939b1daff3ff98b339bb47542a138b659e47b9001fbbd2
Tags:exeRemcosRAT
Infos:

Most interesting Screenshot:

Detection

HawkEye Remcos AgentTesla AveMaria MailPassView UACMe
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected MailPassView
Yara detected HawkEye Keylogger
Yara detected AgentTesla
Yara detected AntiVM3
Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Remcos RAT
Yara detected UACMe UAC Bypass tool
Detected HawkEye Rat
Yara detected AveMaria stealer
Detected Remcos RAT
Multi AV Scanner detection for dropped file
Connects to many ports of the same IP (likely port scanning)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Allocates memory in foreign processes
May check the online IP address of the machine
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Creates a thread in another existing process (thread injection)
Adds a directory exclusion to Windows Defender
Creates autostart registry keys with suspicious names
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Increases the number of concurrent connection per server for Internet Explorer
.NET source code references suspicious native API functions
Contains functionality to hide user accounts
Contains functionality to log keystrokes (.Net Source)
Contains functionality to steal e-mail passwords
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Yara detected WebBrowserPassView password recovery tool
Contains functionality to steal Chrome passwords or cookies
Sigma detected: Powershell Defender Exclusion
Machine Learning detection for dropped file
Contains functionality to inject threads in other processes
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Contains functionality to create new users
Antivirus or Machine Learning detection for unpacked file
Drops PE files to the application program directory (C:\ProgramData)
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
One or more processes crash
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to enumerate running services
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Contains functionality to download and execute PE files
Yara detected Keylogger Generic
Contains functionality to retrieve information about pressed keystrokes
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May infect USB drives
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Contains functionality to call native functions
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Contains functionality to download and launch executables
Uses SMTP (mail sending)
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • SW0P9o9ksjpBsnr.exe (PID: 5468 cmdline: "C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe" MD5: 27F2A9688EC34FC8AA3B0FEE4757DD71)
    • BackgroundTransferHost.exe (PID: 4928 cmdline: "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1 MD5: 02BA81746B929ECC9DB6665589B68335)
      • bin.exe (PID: 6480 cmdline: "C:\Users\user\AppData\Local\Temp\bin.exe" 0 MD5: 805FBB84293E86F25B566A5B2C2815D2)
        • powershell.exe (PID: 6572 cmdline: powershell Add-MpPreference -ExclusionPath C:\ MD5: DBA3E6449E97D4E3DF64527EF7012A10)
          • conhost.exe (PID: 6588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • cmd.exe (PID: 6580 cmdline: C:\Windows\System32\cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 6596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • warz.exe (PID: 6544 cmdline: "C:\Users\user\AppData\Local\Temp\warz.exe" 0 MD5: 1D90A7DA17807F64F1699E5EA2091A36)
        • powershell.exe (PID: 6764 cmdline: powershell Add-MpPreference -ExclusionPath C:\ MD5: DBA3E6449E97D4E3DF64527EF7012A10)
          • conhost.exe (PID: 6808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • images.exe (PID: 6824 cmdline: C:\ProgramData\images.exe MD5: 1D90A7DA17807F64F1699E5EA2091A36)
          • powershell.exe (PID: 7092 cmdline: powershell Add-MpPreference -ExclusionPath C:\ MD5: DBA3E6449E97D4E3DF64527EF7012A10)
            • conhost.exe (PID: 7164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • cmd.exe (PID: 7156 cmdline: C:\Windows\System32\cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 4380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • rem.exe (PID: 6564 cmdline: "C:\Users\user\AppData\Local\Temp\rem.exe" 0 MD5: 9E764165FBA9E86937643D84A2F4E063)
      • hawkstartup.exe (PID: 6776 cmdline: "C:\Users\user\AppData\Local\Temp\hawkstartup.exe" 0 MD5: AEAF1943FB037B6529873D7CC47CE137)
        • Windows Update.exe (PID: 3328 cmdline: "C:\Users\user\AppData\Roaming\Windows Update.exe" MD5: AEAF1943FB037B6529873D7CC47CE137)
          • dw20.exe (PID: 5040 cmdline: dw20.exe -x -s 2228 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
          • vbc.exe (PID: 1456 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holdermail.txt" MD5: C63ED21D5706A527419C9FBD730FFB2E)
          • vbc.exe (PID: 4692 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holderwb.txt" MD5: C63ED21D5706A527419C9FBD730FFB2E)
          • WerFault.exe (PID: 1896 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3328 -s 2232 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
          • WerFault.exe (PID: 4600 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3328 -s 2232 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
      • ori4.0dec23sta.exe (PID: 6988 cmdline: "C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe" 0 MD5: F41809BC71EEB2C3B1676309139216A8)
      • ori2.0dec23sta.exe (PID: 7112 cmdline: "C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe" 0 MD5: 421138225D5DEE81805C5E5072898504)
      • BackgroundTransferHost.exe (PID: 6776 cmdline: "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1 MD5: 02BA81746B929ECC9DB6665589B68335)
    • SW0P9o9ksjpBsnr.exe (PID: 4928 cmdline: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe MD5: 27F2A9688EC34FC8AA3B0FEE4757DD71)
  • bin.exe (PID: 7136 cmdline: "C:\Users\user\AppData\Local\Temp\bin.exe" MD5: 805FBB84293E86F25B566A5B2C2815D2)
  • WindowsUpdate.exe (PID: 6840 cmdline: "C:\Users\user\AppData\Roaming\WindowsUpdate.exe" MD5: AEAF1943FB037B6529873D7CC47CE137)
  • 100.exe (PID: 5772 cmdline: "C:\Users\user\AppData\Roaming\100\100.exe" MD5: F41809BC71EEB2C3B1676309139216A8)
  • WindowsUpdate.exe (PID: 7164 cmdline: "C:\Users\user\AppData\Roaming\WindowsUpdate.exe" MD5: AEAF1943FB037B6529873D7CC47CE137)
  • 100.exe (PID: 6576 cmdline: "C:\Users\user\AppData\Roaming\100\100.exe" MD5: F41809BC71EEB2C3B1676309139216A8)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\100\100.exeJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    C:\Users\user\AppData\Roaming\100\100.exeJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      C:\ProgramData\images.exeCodoso_Gh0st_2Detects Codoso APT Gh0st MalwareFlorian Roth
      • 0x191f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
      C:\ProgramData\images.exeCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
      • 0x191f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
      • 0x191f0:$c1: Elevation:Administrator!new:
      C:\ProgramData\images.exeMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
      • 0x144e8:$a1: \Opera Software\Opera Stable\Login Data
      • 0x14810:$a2: \Comodo\Dragon\User Data\Default\Login Data
      • 0x14158:$a3: \Google\Chrome\User Data\Default\Login Data
      Click to see the 36 entries

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      0000000B.00000003.295733640.00000000010D3000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        0000000B.00000003.295733640.00000000010D3000.00000004.00000001.sdmpJoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
          00000017.00000000.312592775.00000000008C2000.00000002.00020000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            00000017.00000000.312592775.00000000008C2000.00000002.00020000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
              0000001F.00000002.435763826.00000000081E0000.00000004.00020000.sdmpHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
              • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df