Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
8A3kk3sc5r.exe

Overview

General Information

Sample Name:8A3kk3sc5r.exe
Analysis ID:567602
MD5:eedfa32e8a73f543f237b4f9ae575176
SHA1:abf870b3c7bfaff9a0a1bec1fdabb93853696114
SHA256:1ceb2e740663635ec5944806dc83db30f907c6ea531e57766b46b57a9e250558
Tags:exeSocelars
Infos:

Detection

Socelars
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Yara detected Socelars
Multi AV Scanner detection for domain / URL
Machine Learning detection for sample
May check the online IP address of the machine
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
AV process strings found (often used to terminate AV products)
Enables driver privileges
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Enables security privileges
Found large amount of non-executed APIs

Classification

  • System is w10x64
  • 8A3kk3sc5r.exe (PID: 4360 cmdline: "C:\Users\user\Desktop\8A3kk3sc5r.exe" MD5: EEDFA32E8A73F543F237B4F9AE575176)
    • WerFault.exe (PID: 6552 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 1916 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup
{"C2 url": "http://ngdatas.pw/"}
SourceRuleDescriptionAuthorStrings
8A3kk3sc5r.exeJoeSecurity_SocelarsYara detected SocelarsJoe Security
    8A3kk3sc5r.exeINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
    • 0x146b58:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
    • 0x146ba8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
    • 0x1459c0:$s1: CoGetObject
    • 0x146a14:$s2: Elevation:Administrator!new:
    SourceRuleDescriptionAuthorStrings
    00000001.00000000.306336689.0000000000EAB000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_SocelarsYara detected SocelarsJoe Security
      00000001.00000000.297416868.0000000000EAB000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_SocelarsYara detected SocelarsJoe Security
        00000001.00000002.323735047.0000000000EAB000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_SocelarsYara detected SocelarsJoe Security
          00000001.00000000.305596513.0000000000EAB000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_SocelarsYara detected SocelarsJoe Security
            Process Memory Space: 8A3kk3sc5r.exe PID: 4360JoeSecurity_SocelarsYara detected SocelarsJoe Security
              SourceRuleDescriptionAuthorStrings
              1.0.8A3kk3sc5r.exe.d90000.2.unpackJoeSecurity_SocelarsYara detected SocelarsJoe Security
                1.0.8A3kk3sc5r.exe.d90000.2.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
                • 0x146b58:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                • 0x146ba8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                • 0x1459c0:$s1: CoGetObject
                • 0x146a14:$s2: Elevation:Administrator!new:
                1.0.8A3kk3sc5r.exe.d90000.1.unpackJoeSecurity_SocelarsYara detected SocelarsJoe Security
                  1.0.8A3kk3sc5r.exe.d90000.1.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
                  • 0x146b58:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                  • 0x146ba8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                  • 0x1459c0:$s1: CoGetObject
                  • 0x146a14:$s2: Elevation:Administrator!new:
                  1.2.8A3kk3sc5r.exe.d90000.0.unpackJoeSecurity_SocelarsYara detected SocelarsJoe Security
                    Click to see the 3 entries
                    No Sigma rule has matched

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Source: 8A3kk3sc5r.exeMalware Configuration Extractor: Socelars {"C2 url": "http://ngdatas.pw/"}
                    Source: 8A3kk3sc5r.exeVirustotal: Detection: 64%Perma Link
                    Source: 8A3kk3sc5r.exeReversingLabs: Detection: 74%
                    Source: 8A3kk3sc5r.exeAvira: detected
                    Source: 8A3kk3sc5r.exeAvira: detected
                    Source: http://www.tpyyf.comAvira URL Cloud: Label: malware
                    Source: https://www.listincode.com/iAvira URL Cloud: Label: malware
                    Source: http://www.tpyyf.com/Home/Index/getdataAvira URL Cloud: Label: malware
                    Source: www.listincode.comVirustotal: Detection: 7%Perma Link
                    Source: 8A3kk3sc5r.exeJoe Sandbox ML: detected
                    Source: 1.0.8A3kk3sc5r.exe.d90000.2.unpackAvira: Label: JS/SpyBanker.G2
                    Source: 1.0.8A3kk3sc5r.exe.d90000.1.unpackAvira: Label: JS/SpyBanker.G2
                    Source: 1.0.8A3kk3sc5r.exe.d90000.0.unpackAvira: Label: JS/SpyBanker.G2
                    Source: 1.2.8A3kk3sc5r.exe.d90000.0.unpackAvira: Label: JS/SpyBanker.G2
                    Source: 8A3kk3sc5r.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: unknownHTTPS traffic detected: 149.28.253.196:443 -> 192.168.2.3:49748 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 148.251.234.83:443 -> 192.168.2.3:49749 version: TLS 1.2
                    Source: 8A3kk3sc5r.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                    Networking

                    barindex
                    Source: C:\Users\user\Desktop\8A3kk3sc5r.exeDNS query: name: iplogger.org
                    Source: Malware configuration extractorURLs: http://ngdatas.pw/
                    Source: Joe Sandbox ViewASN Name: AS-CHOOPAUS AS-CHOOPAUS
                    Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                    Source: Joe Sandbox ViewIP Address: 148.251.234.83 148.251.234.83
                    Source: Joe Sandbox ViewIP Address: 148.251.234.83 148.251.234.83
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36Host: www.listincode.comCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /1GWfv7 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36Host: iplogger.orgCache-Control: no-cache
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
                    Source: 8A3kk3sc5r.exeString found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
                    <
                    Source: 8A3kk3sc5r.exe, 00000001.00000000.305760385.0000000001248000.00000004.00000020.00020000.00000000.sdmp, 8A3kk3sc5r.exe, 00000001.00000003.301299081.0000000001248000.00000004.00000020.00020000.00000000.sdmp, 8A3kk3sc5r.exe, 00000001.00000003.302100919.0000000001248000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                    Source: 8A3kk3sc5r.exeString found in binary or memory: http://ngdatas.pw/
                    Source: 8A3kk3sc5r.exeString found in binary or memory: http://ngdatas.pw/https://www.listincode.com/0.0.0.0%d.%d.%d.%dhttp-1ZIP
                    Source: Amcache.hve.6.drString found in binary or memory: http://upx.sf.net
                    Source: 8A3kk3sc5r.exeString found in binary or memory: http://www.channelinfo.pw/index.php/Home/Index/getExe
                    Source: 8A3kk3sc5r.exeString found in binary or memory: http://www.channelinfo.pw/index.php/Home/Index/getExeidnameexe_urlexe_namerun_valuecountry_codeaband
                    Source: 8A3kk3sc5r.exeString found in binary or memory: http://www.tpyyf.com
                    Source: 8A3kk3sc5r.exeString found in binary or memory: http://www.tpyyf.com/Home/Index/getdata
                    Source: 8A3kk3sc5r.exe, 00000001.00000003.302100919.0000000001248000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://iplogger.org/
                    Source: 8A3kk3sc5r.exeString found in binary or memory: https://iplogger.org/12QMs7
                    Source: 8A3kk3sc5r.exeString found in binary or memory: https://iplogger.org/12TMs7
                    Source: 8A3kk3sc5r.exeString found in binary or memory: https://iplogger.org/143up7
                    Source: 8A3kk3sc5r.exeString found in binary or memory: https://iplogger.org/14Jup7
                    Source: 8A3kk3sc5r.exeString found in binary or memory: https://iplogger.org/14Qju7
                    Source: 8A3kk3sc5r.exeString found in binary or memory: https://iplogger.org/14ePy7
                    Source: 8A3kk3sc5r.exeString found in binary or memory: https://iplogger.org/169Bx7
                    Source: 8A3kk3sc5r.exeString found in binary or memory: https://iplogger.org/16ajh7
                    Source: 8A3kk3sc5r.exeString found in binary or memory: https://iplogger.org/16xjh7
                    Source: 8A3kk3sc5r.exeString found in binary or memory: https://iplogger.org/1746b7
                    Source: 8A3kk3sc5r.exeString found in binary or memory: https://iplogger.org/1756b7
                    Source: 8A3kk3sc5r.exeString found in binary or memory: https://iplogger.org/19iM77
                    Source: 8A3kk3sc5r.exeString found in binary or memory: https://iplogger.org/1BBCf7
                    Source: 8A3kk3sc5r.exeString found in binary or memory: https://iplogger.org/1CDGu7
                    Source: 8A3kk3sc5r.exeString found in binary or memory: https://iplogger.org/1CUGu7
                    Source: 8A3kk3sc5r.exeString found in binary or memory: https://iplogger.org/1Cr3a7
                    Source: 8A3kk3sc5r.exeString found in binary or memory: https://iplogger.org/1DE477
                    Source: 8A3kk3sc5r.exeString found in binary or memory: https://iplogger.org/1G7Sc7
                    Source: 8A3kk3sc5r.exeString found in binary or memory: https://iplogger.org/1GWfv7
                    Source: 8A3kk3sc5r.exe, 00000001.00000003.302100919.0000000001248000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://iplogger.org/1GWfv7.t
                    Source: 8A3kk3sc5r.exe, 00000001.00000000.305760385.0000000001248000.00000004.00000020.00020000.00000000.sdmp, 8A3kk3sc5r.exe, 00000001.00000003.302100919.0000000001248000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://iplogger.org/1GWfv7Ft
                    Source: 8A3kk3sc5r.exe, 00000001.00000000.305760385.0000000001248000.00000004.00000020.00020000.00000000.sdmp, 8A3kk3sc5r.exe, 00000001.00000003.302100919.0000000001248000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://iplogger.org/1GWfv7Ur
                    Source: 8A3kk3sc5r.exeString found in binary or memory: https://iplogger.org/1GaLz7
                    Source: 8A3kk3sc5r.exeString found in binary or memory: https://iplogger.org/1Gbzj7
                    Source: 8A3kk3sc5r.exeString found in binary or memory: https://iplogger.org/1Gczj7
                    Source: 8A3kk3sc5r.exeString found in binary or memory: https://iplogger.org/1Ghzj7
                    Source: 8A3kk3sc5r.exeString found in binary or memory: https://iplogger.org/1GiLz7
                    Source: 8A3kk3sc5r.exeString found in binary or memory: https://iplogger.org/1Gjzj7
                    Source: 8A3kk3sc5r.exeString found in binary or memory: https://iplogger.org/1H3Fa7
                    Source: 8A3kk3sc5r.exeString found in binary or memory: https://iplogger.org/1KyTy7
                    Source: 8A3kk3sc5r.exeString found in binary or memory: https://iplogger.org/1O2BH
                    Source: 8A3kk3sc5r.exeString found in binary or memory: https://iplogger.org/1OXFG
                    Source: 8A3kk3sc5r.exeString found in binary or memory: https://iplogger.org/1OZVH
                    Source: 8A3kk3sc5r.exeString found in binary or memory: https://iplogger.org/1OhAG
                    Source: 8A3kk3sc5r.exeString found in binary or memory: https://iplogger.org/1Pdet7
                    Source: 8A3kk3sc5r.exeString found in binary or memory: https://iplogger.org/1RWXp7
                    Source: 8A3kk3sc5r.exeString found in binary or memory: https://iplogger.org/1SWks7
                    Source: 8A3kk3sc5r.exeString found in binary or memory: https://iplogger.org/1Smzs7
                    Source: 8A3kk3sc5r.exeString found in binary or memory: https://iplogger.org/1Sxzs7
                    Source: 8A3kk3sc5r.exeString found in binary or memory: https://iplogger.org/1T79i7
                    Source: 8A3kk3sc5r.exeString found in binary or memory: https://iplogger.org/1T89i7
                    Source: 8A3kk3sc5r.exeString found in binary or memory: https://iplogger.org/1TBch7
                    Source: 8A3kk3sc5r.exeString found in binary or memory: https://iplogger.org/1TCch7
                    Source: 8A3kk3sc5r.exeString found in binary or memory: https://iplogger.org/1TW3i7
                    Source: 8A3kk3sc5r.exeString found in binary or memory: https://iplogger.org/1TXch7
                    Source: 8A3kk3sc5r.exeString found in binary or memory: https://iplogger.org/1Tkij7
                    Source: 8A3kk3sc5r.exeString found in binary or memory: https://iplogger.org/1UKG97
                    Source: 8A3kk3sc5r.exeString found in binary or memory: https://iplogger.org/1UpU57
                    Source: 8A3kk3sc5r.exeString found in binary or memory: https://iplogger.org/1Uts87
                    Source: 8A3kk3sc5r.exeString found in binary or memory: https://iplogger.org/1X8M97
                    Source: 8A3kk3sc5r.exeString found in binary or memory: https://iplogger.org/1XJq97
                    Source: 8A3kk3sc5r.exeString found in binary or memory: https://iplogger.org/1XKq97
                    Source: 8A3kk3sc5r.exeString found in binary or memory: https://iplogger.org/1XSq97
                    Source: 8A3kk3sc5r.exeString found in binary or memory: https://iplogger.org/1Z7qd7
                    Source: 8A3kk3sc5r.exeString found in binary or memory: https://iplogger.org/1aaVp7
                    Source: 8A3kk3sc5r.exeString found in binary or memory: https://iplogger.org/1b4887
                    Source: 8A3kk3sc5r.exeString found in binary or memory: https://iplogger.org/1bV787
                    Source: 8A3kk3sc5r.exeString found in binary or memory: https://iplogger.org/1fHtp7
                    Source: 8A3kk3sc5r.exeString found in binary or memory: https://iplogger.org/1lcZz
                    Source: 8A3kk3sc5r.exeString found in binary or memory: https://iplogger.org/1mxKf7
                    Source: 8A3kk3sc5r.exeString found in binary or memory: https://iplogger.org/1pcji7
                    Source: 8A3kk3sc5r.exeString found in binary or memory: https://iplogger.org/1pdxr7
                    Source: 8A3kk3sc5r.exeString found in binary or memory: https://iplogger.org/1q6Jt7
                    Source: 8A3kk3sc5r.exeString found in binary or memory: https://iplogger.org/1rDMq7
                    Source: 8A3kk3sc5r.exeString found in binary or memory: https://iplogger.org/1rDMq785https://iplogger.org/1rd8N686https://iplogger.org/1spuy788https://iplog
                    Source: 8A3kk3sc5r.exeString found in binary or memory: https://iplogger.org/1rd8N6
                    Source: 8A3kk3sc5r.exeString found in binary or memory: https://iplogger.org/1rqRg7
                    Source: 8A3kk3sc5r.exeString found in binary or memory: https://iplogger.org/1s4qp7
                    Source: 8A3kk3sc5r.exeString found in binary or memory: https://iplogger.org/1s5qp7
                    Source: 8A3kk3sc5r.exeString found in binary or memory: https://iplogger.org/1spuy7
                    Source: 8A3kk3sc5r.exeString found in binary or memory: https://iplogger.org/1uS4i7
                    Source: 8A3kk3sc5r.exeString found in binary or memory: https://iplogger.org/1uW6i7