Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
2cB42TzofC

Overview

General Information

Sample Name:2cB42TzofC (renamed file extension from none to exe)
Analysis ID:565576
MD5:f47ddf38902e6e745ae49168bc55c0fc
SHA1:e7cc7bd70b128d63ef1e54345d6b97d8fd02ffb8
SHA256:0d2ada23e3ed12fff4c0e31377f1f577bcca7694b73545049a36f443d6c83215
Tags:32exetrojan
Infos:
Errors
  • Sigma runtime error: Invalid condition: ( false && false || false Rule: Logon Scripts (UserInitMprLogonScript)

Detection

PhoenixKeylogger
Score:66
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected PhoenixKeylogger
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Sigma detected: Suspicious Program Location with Network Connections
Sigma detected: Execution from Suspicious Folder
Sigma detected: WScript or CScript Dropper
Contains functionality to capture screen (.Net source)
.NET source code references suspicious native API functions
Uses shutdown.exe to shutdown or reboot the system
Sigma detected: Suspicious Remote Thread Created
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Antivirus or Machine Learning detection for unpacked file
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
HTTP GET or POST without a user agent
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
PE file contains sections with non-standard names
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to communicate with device drivers
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Enables debug privileges
AV process strings found (often used to terminate AV products)
File is packed with WinRar
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Creates a window with clipboard capturing capabilities
Sigma detected: Suspicious Outbound SMTP Connections
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

Process Tree

  • System is w10x64
  • 2cB42TzofC.exe (PID: 6400 cmdline: "C:\Users\user\Desktop\2cB42TzofC.exe" MD5: F47DDF38902E6E745AE49168BC55C0FC)
    • systems.exe (PID: 2880 cmdline: "C:\Users\Public\Downloads\systems.exe" MD5: 9FBC8CDC78C518EBF6774752EC178B13)
      • explorer.exe (PID: 6304 cmdline: "C:\Windows\System32\explorer.exe" C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
      • explorer.exe (PID: 160 cmdline: "C:\Windows\System32\explorer.exe" C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
      • explorer.exe (PID: 6040 cmdline: "C:\Windows\System32\explorer.exe" C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
      • explorer.exe (PID: 7076 cmdline: "C:\Windows\System32\explorer.exe" C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
      • explorer.exe (PID: 6196 cmdline: "C:\Windows\System32\explorer.exe" C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
      • explorer.exe (PID: 6496 cmdline: "C:\Windows\System32\explorer.exe" C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
      • explorer.exe (PID: 2584 cmdline: "C:\Windows\System32\explorer.exe" C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
      • explorer.exe (PID: 6824 cmdline: "C:\Windows\System32\explorer.exe" C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
    • wscript.exe (PID: 6976 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\Public\Downloads\vbs.vbs" MD5: 7075DD7B9BE8807FCA93ACD86F724884)
      • cmd.exe (PID: 7076 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Downloads\vbs.bat" " MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 7072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • shutdown.exe (PID: 5936 cmdline: shutdown -r -t 50 MD5: E2EB9CC0FE26E28406FB6F82F8E81B26)
  • explorer.exe (PID: 6756 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • explorer.exe (PID: 4324 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • explorer.exe (PID: 2920 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • explorer.exe (PID: 6912 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • explorer.exe (PID: 360 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • explorer.exe (PID: 5292 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • explorer.exe (PID: 4104 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • cleanup

Malware Configuration

Threatname: PhoenixKeylogger

{"Exfil Mode": "SMTP", "To": "emre.alagoz.44@gmail.com", "From": "keylogar99@gmail.com", "SMTP Server": "smtp.gmail.com", "Password": "10203040eam.", "port": "587"}

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\Public\Downloads\systems.exeJoeSecurity_PhoenixKeyloggerYara detected PhoenixKeyloggerJoe Security
    C:\Users\Public\Downloads\systems.exeINDICATOR_SUSPICIOUS_EXE_DotNetProcHookDetects executables with potential process hoockingditekSHen
    • 0x12d90:$s1: UnHook
    • 0x12d2c:$s2: SetHook
    • 0x12d65:$s3: CallNextHook
    • 0x12473:$s4: _hook
    C:\Users\Public\Downloads\systems.exeMALWARE_Win_PhoenixPhoenix/404KeyLogger keylogger payloadditekSHen
    • 0x1269e:$s2: StartKeylogger
    • 0x1314d:$s3: CRYPTPROTECT_
    • 0x1316e:$s3: CRYPTPROTECT_
    • 0x1318d:$s3: CRYPTPROTECT_
    • 0x16dc2:$m2: - Clipboard -------|
    • 0x17076:$m3: - Logs -------|
    • 0x17467:$m4: - Passwords -------|
    • 0x1749f:$m5: PSWD
    • 0x170a4:$m7: Logs |

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000007.00000000.289663660.0000000000222000.00000002.00000001.01000000.00000005.sdmpJoeSecurity_PhoenixKeyloggerYara detected PhoenixKeyloggerJoe Security
      00000007.00000000.289663660.0000000000222000.00000002.00000001.01000000.00000005.sdmpMALWARE_Win_PhoenixPhoenix/404KeyLogger keylogger payloadditekSHen
      • 0x1249e:$s2: StartKeylogger
      • 0x12f4d:$s3: CRYPTPROTECT_
      • 0x12f6e:$s3: CRYPTPROTECT_
      • 0x12f8d:$s3: CRYPTPROTECT_
      • 0x16bc2:$m2: - Clipboard -------|
      • 0x16e76:$m3: - Logs -------|
      • 0x17267:$m4: - Passwords -------|
      • 0x1729f:$m5: PSWD
      • 0x16ea4:$m7: Logs |
      00000007.00000002.812023863.0000000000222000.00000002.00000001.01000000.00000005.sdmpJoeSecurity_PhoenixKeyloggerYara detected PhoenixKeyloggerJoe Security
        00000007.00000002.812023863.0000000000222000.00000002.00000001.01000000.00000005.sdmpMALWARE_Win_PhoenixPhoenix/404KeyLogger keylogger payloadditekSHen
        • 0x1249e:$s2: StartKeylogger
        • 0x12f4d:$s3: CRYPTPROTECT_
        • 0x12f6e:$s3: CRYPTPROTECT_
        • 0x12f8d:$s3: CRYPTPROTECT_
        • 0x16bc2:$m2: - Clipboard -------|
        • 0x16e76:$m3: - Logs -------|
        • 0x17267:$m4: - Passwords -------|
        • 0x1729f:$m5: PSWD
        • 0x16ea4:$m7: Logs |
        Process Memory Space: systems.exe PID: 2880JoeSecurity_PhoenixKeyloggerYara detected PhoenixKeyloggerJoe Security
          Click to see the 1 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          7.0.systems.exe.220000.0.unpackJoeSecurity_PhoenixKeyloggerYara detected PhoenixKeyloggerJoe Security
            7.0.systems.exe.220000.0.unpackINDICATOR_SUSPICIOUS_EXE_DotNetProcHookDetects executables with potential process hoockingditekSHen
            • 0x12d90:$s1: UnHook
            • 0x12d2c:$s2: SetHook
            • 0x12d65:$s3: CallNextHook
            • 0x12473:$s4: _hook
            7.0.systems.exe.220000.0.unpackMALWARE_Win_PhoenixPhoenix/404KeyLogger keylogger payloadditekSHen
            • 0x1269e:$s2: StartKeylogger
            • 0x1314d:$s3: CRYPTPROTECT_
            • 0x1316e:$s3: CRYPTPROTECT_
            • 0x1318d:$s3: CRYPTPROTECT_