Windows
Analysis Report
xYWm6BV3NZ.exe
Overview
General Information
Detection
Score: | 68 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Yara detected Telegram Recon
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Uses the Telegram API (likely for C&C communication)
May check the online IP address of the machine
Queries the volume information (name, serial number etc) of a device
Sigma detected: Suspicious DNS Query for IP Lookup Service APIs
Sample file is different than original file name gathered from version info
May sleep (evasive loops) to hinder dynamic analysis
Binary contains a suspicious time stamp
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Classification
- System is w10x64
xYWm6BV3NZ.exe (PID: 4400 cmdline:
"C:\Users\ user\Deskt op\xYWm6BV 3NZ.exe" MD5: 166C72239B76C7F2DCD5CB02138ADC42) conhost.exe (PID: 4984 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
- cleanup
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_TelegramRecon | Yara detected Telegram Recon | Joe Security |
There are no malicious signatures, click here to show all signatures.
Source: | Author: Brandon George (blog post), Thomas Patzke (rule): |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | ReversingLabs: |
Source: | HTTPS traffic detected: |
Source: | Static PE information: |
Source: | Binary string: |
Networking |
---|
Source: | DNS query: |
Source: | DNS query: |
Source: | JA3 fingerprint: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | IP Address: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | HTTPS traffic detected: |